> > > - Making sysklogd and klogd immutable
> > ---
> > Das ok. With mount, I can just mount over the top of them, killoff current ones, restart my
> > new ones.
> You can't remount the root fs while running.
--- Don't need to -- "mount mybadsys:/mybadusr /usr". Now we have a new /usr/bin/syslogd and a new /usr/sbin/klogd.
> > CAP_MAC_OVERRIDE which wouldn't be set for userland daemons. > > > That means a userlevel thingy manages these thing. --- What is? MAC would be implemented in kernel and an attribute supporting filesystem (perhaps ext2a, perhaps ext3a, perhaps xfs). CAP's are handled by the kernel. You can put wrappers in place even in the *current* system that call each rc.script after first dropping unnecessary privileges. So no UID-0 daemon has the capability to do RAW-I/O or whatever. Each rc script or daemon could be configured with least privilege before running. Not as elegant, clean for flexible as file-based capabilities, but it *would* work.
>The 'chicken and egg' problem. --- Chicken and egg problem refers to the common perception of the non-determinability of which came first (the egg did: proof: egg contains all chromosones for new adult and is itself the mutation that meets definition of a chicken (which parent did not)).
There is no non-determinability here. Init sets initial luid. Run level scripts set initial CAPs. Only root on physical console gets full CAPs. If MAC and file-caps are in, management gets real easy/non-kludgy. Doesn't matter if you crack root password -- you need to be on the console. Doesn't matter if you get a root-shell through a daemon, the daemons wouldn't run with unnecessary caps and wouldn't run with a MAC label that allows them to modify system security files. For example, /etc/passwd is labeled with Sensitivity=00, Integrity=250. Everyone can read it, but only processes running with Int=250 can write to it. Default for 'root' is running at 'int=10' (say normal users run w/int=5). It doesn't matter what root-level process they came in on, none has privilege to write to /etc/passwd. /etc/shadow can be set with sens=250 and int=250. Same thing -- default root runs at sens=10. Only a login @ console can root log in and gain sens=250, int=250. Root ID daemons don't (they run at 5,5 or 5,0). Root deamons don't run with CAP_MAC_OVERRIDE -- again, console only function.
Such a security system really shuts down crackers fast -- they break in but have no privileges. The damage they can do is limited. They couldn't even write or read root's home directory even though they are UID==0. Major impediment.
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to firstname.lastname@example.org Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:13 EST