Re: ACLs

From: Kyle Moffett
Date: Fri Aug 04 2006 - 19:31:51 EST


On Aug 04, 2006, at 18:52:41, RazorBlu wrote:
Because instead of having an all-powerful account (which we so lovingly know as root), you can separate specific roles to different accounts. To use Windows' ACLs as an example:

- Adjust memory quotas for a process
- Allow/deny access to this computer from the network
- Backup files and directories
- Bypass traverse checking
- Change system time
- Increase scheduling priority
- Load and unload device drivers
- Manage auditing and security logs
- Restore files and directories
- Shutdown the system
- Take ownership of files or other objects

This is _exactly_ what SELinux does for you. You can break down permissions on very nearly a per-syscall basis (not quite, for efficiency reasons, but pretty damn close).

As you can see, those are finely-grained controls. Why would these be useful on Linux? Because you can have a root account which can bind Apache to a port <1024, and even if it is compromised it cannot "shutdown the system," or "deny access to this computer from the network," thus the attacker will be able to cause minimal damage. Yes, the same can be done on Linux using SELinux, AppArmor, or some other ACL system, but again - those aren't part of the kernel. They are extra apps, and adding layers is not always the best solution when it comes to security.

You're quite wrong about SELinux; it _is_ part of the kernel. Admittedly it requires a policy to be built and loaded from userspace, but your "ACLs" would require some ACL utilities to apply those from userspace. In any case SELinux is an extremely powerful model; you can define your arbitrary RBAC+TE state machine and constraints, then the kernel applies it to your system; as simple (or horribly complicated, as the case may be) as that.

Um.. Forgive me for a second, but are you suggesting that a Linux system running a service(s) under full root privileges (such as Apache) is just as secure as a Linux system running the same process but with compartmentalisation to make sure that each service has access to just the files and directories it needs, achieved (currently) via AppArmor, SELinux, or a similar ACL system?

Here's a better security model: SELinux lets you give root access to everybody and still have a 100% secure system (although it's not really recommended). Google around for the public SSH-accessible SELinux testbeds with root's password set to "password" or "1234" or whatever and feel free to log in and have a look. Besides, we do have POSIX ACLs on files; if that's what you're looking for, but that's not extensible enough to cover processes too.

Cheers,
Kyle Moffett



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/