On Tue, 9 May 2000, Linda Walsh wrote:
>
> > > > - Making sysklogd and klogd immutable
> > > ---
> > > Das ok. With mount, I can just mount over the top of them, killoff current ones, restart my
> > > new ones.
> >
> > You can't remount the root fs while running.
> ---
> Don't need to -- "mount mybadsys:/mybadusr /usr". Now we have a new /usr/bin/syslogd
> and a new /usr/sbin/klogd.
You still need to kill the old one..
> > > CAP_MAC_OVERRIDE which wouldn't be set for userland daemons.
> >
> >
> >The 'chicken and egg' problem.
> ---
> Chicken and egg problem refers to the common perception of the non-determinability
> of which came first (the egg did: proof: egg contains all chromosones for new adult and
> is itself the mutation that meets definition of a chicken (which parent did not)).
>
> There is no non-determinability here. Init sets initial luid. Run level scripts
> set initial CAPs. Only root on physical console gets full CAPs. If MAC and file-caps
> are in, management gets real easy/non-kludgy. Doesn't matter if you crack root
> password -- you need to be on the console. Doesn't matter if you get a root-shell
> through a daemon, the daemons wouldn't run with unnecessary caps and wouldn't run
> with a MAC label that allows them to modify system security files. For example,
> /etc/passwd is labeled with Sensitivity=00, Integrity=250. Everyone can read it, but
> only processes running with Int=250 can write to it. Default for 'root' is running
> at 'int=10' (say normal users run w/int=5). It doesn't matter what root-level
> process they came in on, none has privilege to write to /etc/passwd. /etc/shadow
> can be set with sens=250 and int=250. Same thing -- default root runs at sens=10.
> Only a login @ console can root log in and gain sens=250, int=250. Root ID daemons
> don't (they run at 5,5 or 5,0). Root deamons don't run with CAP_MAC_OVERRIDE --
> again, console only function.
Hmm.. Last time I checked capabilities wheren't fully functional yep...
> Such a security system really shuts down crackers fast -- they break in but
> have no privileges. The damage they can do is limited. They couldn't even write or
> read root's home directory even though they are UID==0. Major impediment.
Yep.. Capabilities are a nice feature.. I'm glad that Linux starts
implementing them.
> -l
Igmar
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:14 EST