[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Start up scripts

Hello,

> > The Problems with Modules is that if you can install a module you can do
> > everything, including to circumvent the securelevel. Securelevel (and
> > perhaps POSIX priveleges) are an important thing on a firewall. Including
> > the secure linux patches (disable executable stack) and adding a group
> > for binding to priveledged ports.
> 
> Not sure I'm staying up with you on this paragraph.

Securelevel is a integer variable in the kernel. Syscalls to the kernel with
special functions (like loading modules, writing to immutable or append-only
files) will check this variable and DENY root the right to do it. This means
you can have files on your firewall where even root cant write or truncate
them. The call to modify the securelevel will protect itself against
modification from root (i.e. you can only add to the securelevel value). But
a module, or any piece of code can access the variable and set it to zero,
the kernel can't check that, since there is not multilevel security in the
kernel.

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)       If privacy is outlawed only Outlaws have privacy


--
E-mail the word "unsubscribe" to debian-firewall-request@lists.debian.org
TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble?  E-mail to listmaster@debian.org .
Reply to: