user's access to files in their own home directory

user's access to files in their own home directory

[Russell Coker]

So far in writing the policy I have allowed the user full access to files in 
their own home directory, with the exception of gpg where secrecy requires 
that the user's processes often be denied read access.

I would like some feedback on how people feel about having files/dirs under a 
user's home directory that they can't unlink or rename.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user's access to files in their own home directory

[Tom]

On Fri, Oct 31, 2003 at 06:10:14AM +1100, Russell Coker wrote:
> I would like some feedback on how people feel about having files/dirs under a 
> user's home directory that they can't unlink or rename.

Trojan protection comes to mind immediately. Any files that are
automatically executed or such like, which contains .bashrc and its
bretheren, but also .forward and others.

It might be good to not have these modifyable from the standard user_r,
but only from a special different role to guarantee that mistake or
malicious code can not mess them up.


Other than that, we should definitely provide the infrastructure. On
many systems, the admin might want to force some settings or start
scripts.

-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user's access to files in their own home directory

[Brian May]

On Fri, Oct 31, 2003 at 06:10:14AM +1100, Russell Coker wrote:
> So far in writing the policy I have allowed the user full access to files in 
> their own home directory, with the exception of gpg where secrecy requires 
> that the user's processes often be denied read access.
> 
> I would like some feedback on how people feel about having files/dirs under a 
> user's home directory that they can't unlink or rename.

This would seem to imply a useability/security tradeoff that is
dependant on the security requirements of the computer.

However, what files/dirs are you thinking of?
-- 
Brian May <bam@snoopy.apana.org.au>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user's access to files in their own home directory

[Tom]

On Fri, Oct 31, 2003 at 10:47:12AM +1100, Brian May wrote:
> This would seem to imply a useability/security tradeoff that is
> dependant on the security requirements of the computer.
> 
> However, what files/dirs are you thinking of?

Anyone remember my "quarantine download dir" proposal from earlier this
year?

The basic idea:

~/Downloads/		system_u:object_r:untrusted_dir_t
file_type_auto_trans(.*, untrusted_dir_t, untrusted_file_t)
domain_auto_trans(.*, untrusted_file_t, untrusted_t)

And untrusted_t has a very restricted set of permissions. Especially it
can write nowhere except in untrusted_dir_t and /tmp. That way I can
"try out" stuff I found on the net.


-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user's access to files in their own home directory

[Russell Coker]

On Fri, 31 Oct 2003 10:47, Brian May wrote:
> > So far in writing the policy I have allowed the user full access to files
> > in their own home directory, with the exception of gpg where secrecy
> > requires that the user's processes often be denied read access.
> >
> > I would like some feedback on how people feel about having files/dirs
> > under a user's home directory that they can't unlink or rename.
>
> This would seem to imply a useability/security tradeoff that is
> dependant on the security requirements of the computer.
>
> However, what files/dirs are you thinking of?

Maildir
www/web/public_html
.ssh
.gnupg (already done)

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.