From: Russell Coker <russell@coker.com.au>
To: forrest whitcher <fw@fwsystems.com>, selinux@tycho.nsa.gov
Subject: Re: Root-only systems
Date: Tue, 21 Jan 2003 02:56:08 +0100 [thread overview]
Message-ID: <200301210256.08482.russell@coker.com.au> (raw)
In-Reply-To: <20030120193144.57cabd3e.fw@fwsystems.com>
On Tue, 21 Jan 2003 01:31, forrest whitcher wrote:
> I'm actually trying to go the other direction, and remove some of the
> Unix/Posix root concepts. Presently the lsm/selinux checks are run in
> addition to the unix uid/gid checks, failing either can deny the
> privelege.
>
> As a strong tool is in place, why for instance do we still want to
> require UID=0 to bind a low-number network port or access device
> drivers etc?
One really good reason is the way that SE Linux is deployed on running
servers.
If I have a running machine then I can't entirely rebuild it immediately, so I
install SE Linux in permissive mode, and apart from the potential of someone
typing "avc_toggle" at the wrong time it'll keep running as before.
If we allow non-root to bind to low ports (for example) then permissive mode
would be significantly less secure than a non-SE machine. If we don't allow
such operations in permissive mode then permissive and enforcing modes will
be functionally different.
Also once we have a system running in enforcing mode we know that if the SE
Linux policy fails us then we still have Unix permissions. If we weaken the
standard Unix permissions then new users will not be granted the assurance of
"the worst security problem it can have is to run like a regular Unix
system".
> Otoh, I expect the number of places where UID=0 checks have been
> built into both the kernel and userspace tools may make practically
> eliminating root from low-level operations a bit of a stretch.
The issue of binding to low ports is not difficult to fix. The other big one
is setuid(), the rest probably don't matter much.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2003-01-21 1:56 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-18 0:49 Cambridge Security Group talk Russell Coker
2003-01-18 3:45 ` Tom
2003-01-18 5:57 ` Brian May
2003-01-21 0:31 ` Root-only systems forrest whitcher
2003-01-21 1:56 ` Russell Coker [this message]
2003-01-18 6:06 ` Cambridge Security Group talk Brian May
2003-01-19 6:13 ` Florian Hines
2003-01-19 16:57 ` Russell Coker
2003-01-25 22:06 ` selinux+Steven.Murdoch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200301210256.08482.russell@coker.com.au \
--to=russell@coker.com.au \
--cc=fw@fwsystems.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.