[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security issue? Daemon users has to much rights...

On Sun, 24 Oct 2004 19:24, Jan Lühr <jluehr@gmx.net> wrote:
> > Yes, and that is one of the core points in my suggestion that you look
> > at SELinux or a similar mandatory access control based security module.
>
> SELinux is overkill in some ways. A system adminstrator, not being able to
> handle ACLs won't be able to handle SELinux.

One of the problems with managing Unix access control is that there is no way 
of analysing the chain of operations.

Program A can execute program B which is SETGID, which then gives it access to 
execute program C which is SETUID (but not executable by the original GID), 
etc.  Analysing this would require an operation equivalent to find / to get 
the data and a tool which no-one has bothered writing to analyse it.

The SE Linux policy has an analysis tool which can follow chains of execution.  
If you are concerned about programs that can read /etc/shadow then you can 
search the policy to get a list of the domains that are permitted access to 
shadow_t.  Then you can get a list of types that are entry-points for those 
domains (EG the domain passwd_t has { read write } access to shadow_t and can 
be entered through type passwd_exec_t) and check which files are labelled 
with that type.  The code in those programs can then be audited for correct 
operation.  Also the number of domains which can execute passwd_exec_t files 
to enter the passwd_t domain is a small sub-set of the domains in the system.

The Unix permission system is very difficult to manage, and many security 
problems have occurred because of mistakes, misunderstandings, and oversights 
in manipulating it.  Posix ACLs make things worse by having all the features 
of Unix permissions plus more complexity.  SE Linux is far easier to manage 
correctly.  Unix permissions are much easier to manage, this can be 
considered a good thing (ease of use) or a bad thing (ease of borking a 
system).


The problems which started this discussion are all already solved with the 
default SE Linux policy.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
Reply to: