[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [debian-devel] Re: [debian-devel] Re: SSP for Debian unstable. was Re: security enhanced debian branch?

A levelezőm azt hiszi, hogy Russell Coker a következőeket írta:
> On Mon, 5 Jan 2004 06:42, Magosányi Árpád <mag@bunuel.tii.matav.hu> wrote:
> > (like the "symlink add RC role" feature
> >  of rsbac. BTW how to achieve this with selinux?)
> What is this "symlink add RC role" feature?

You can add a flag called "symlink add RC role" to symlinks.
Each such symlink adds the role number of the calling process
to the target.
For example on my notebook machine I have this flag on /tmp and /home/mag.
(They are both symlinks)
This way I have different home and temporary directory based
on the role I have at the moment. If I run my browser in "public"
role, it has no way to access my "confidential" files, but still
have an environment which looks ordinary: home and /tmp are writable.
Also my public web browser shares no local configuration (cookies,
passwords, etc) with the web browser I am using for work purposes.
Whit this you can achieve the same effects like moldy directories
in commercial trusted unixen, but it is more elegant.

Another use: I have a slightly hacked ssmtp, with an Addheader
directive. (See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=223329)
~ls -l /etc/ssmtp/ssmtp.conf
lrwxrwxrwx    1 root     root           11 2003-12-08 19:25
/etc/ssmtp/ssmtp.conf -> ssmtp.conf_12
The symlink actually points to "ssmtp.conf_" , and have the bit set.
~grep AddHeader /etc/ssmtp/ssmtp.conf_*
/etc/ssmtp/ssmtp.conf_:AddHeader=X-security-level: nolevel
/etc/ssmtp/ssmtp.conf_10:AddHeader=X-security-level: system
/etc/ssmtp/ssmtp.conf_11:AddHeader=X-security-level: public
/etc/ssmtp/ssmtp.conf_12:AddHeader=X-security-level: unclassified
/etc/ssmtp/ssmtp.conf_13:AddHeader=X-security-level: secret/work
/etc/ssmtp/ssmtp.conf_14:AddHeader=X-security-level: secret/private

GNU GPL: csak tiszta forrásból

Reply to: