[Filled for readability]
"Linda Walsh" <law@sgi.com> said:
[...]
> There is no non-determinability here. Init sets initial luid. Run
> level scripts set initial CAPs. Only root on physical console gets full
> CAPs. If MAC and file-caps are in, management gets real easy/non-kludgy.
> Doesn't matter if you crack root password -- you need to be on the
> console. Doesn't matter if you get a root-shell through a daemon, the
> daemons wouldn't run with unnecessary caps and wouldn't run with a MAC
> label that allows them to modify system security files. For example,
> /etc/passwd is labeled with Sensitivity=00, Integrity=250. Everyone can
> read it, but only processes running with Int=250 can write to it.
> Default for 'root' is running at 'int=10' (say normal users run w/int=5).
> It doesn't matter what root-level process they came in on, none has
> privilege to write to /etc/passwd. /etc/shadow can be set with sens=250
> and int=250. Same thing -- default root runs at sens= 10.
Interesting idea. Is this a standard? How does it interact with UID/GID?
> Only a login @ console can root log in and gain sens=250, int=250. Root
> ID daemons don't (they run at 5,5 or 5,0). Root deamons don't run with
> CAP_MAC_OVERRIDE -- again, console only function.
How do I change my password then?
> Such a security system really shuts down crackers fast -- they
> break in but have no privileges. The damage they can do is limited.
> They couldn't even write or read root's home directory even though they
> are UID==0. Major impediment.
-- Dr. Horst H. von Brand mailto:vonbrand@inf.utfsm.cl Departamento de Informatica Fono: +56 32 654431 Universidad Tecnica Federico Santa Maria +56 32 654239 Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:13 EST