From: "Serge E. Hallyn" <serge@hallyn.com>
To: Jan Engelhardt <jengelh@computergmbh.de>
Cc: Giacomo Catenazzi <cate@debian.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andreas Gruenbacher <agruen@suse.de>,
Thomas Fricaccia <thomas_fricacci@yahoo.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
James Morris <jmorris@namei.org>
Subject: Re: LSM conversion to static interface
Date: Tue, 23 Oct 2007 10:20:05 -0500 [thread overview]
Message-ID: <20071023152005.GA13767@vino.hallyn.com> (raw)
In-Reply-To: <Pine.LNX.4.64.0710231051090.16684@fbirervta.pbzchgretzou.qr>
Quoting Jan Engelhardt (jengelh@computergmbh.de):
>
> On Oct 23 2007 07:44, Giacomo Catenazzi wrote:
> >
> >> I do have a pseudo LSM called "multiadm" at
> >> http://freshmeat.net/p/multiadm/ , quoting:
> >
> >> Policy is dead simple since it is based on UIDs. The UID ranges can be
> >> set on module load time or during runtime (sysfs params). This LSM is
> >> basically grants extra rights unlike most other LSMs[1], which is why
> >> modprobe makes much more sense here. (It also does not have to do any
> >> security labelling that would require it to be loaded at boot time
> >> already.)
> >
> >But his is against LSM design (and first agreements about LSM):
> >LSM can deny rights, but it should not give extra permissions
> >or bypass standard unix permissions.
>
> It is just not feasible to add ACLs to all million files in /home,
> also because ACLs are limited to around 25 entries.
> And it is obvious I do not want <prof> to have UID 0, because
> then you cannot distinguish who created what file.
> So the requirement to the task is to have unique UIDs.
> The next logical step would be to give capabilities to those UIDs.
>
> *Is that wrong*? Who says that only UID 0 is allowed to have
> all 31 capability bits turned on, and that all non-UID 0 users
> need to have all 31 capability bits turned off?
>
> So, we give caps to the subadmins (which is IMHO a natural task),
> and then, as per LSM design (wonder where that is written) deny
> some of the rights that the capabilities raised for subadmins grant,
> because that is obviously too much.
Once the per-process capability bounding set is accepted
(http://lkml.org/lkml/2007/10/3/315) you will be able to do something
like:
1. Create user 'jdoe' with uid 0
2. write a pam module which, when jdoe logs in, takes
CAP_NET_ADMIN out of his capability bounding set
3. Now jdoe can log in with the kind of capabilities subset
you describe.
It's not a perfect solution, since it doesn't allow jdoe any way at all
to directly execute a file with more caps (setuid and file capabilities
are subject to the capbound). So there is certainly still a place for
multiadm.
-serge
next prev parent reply other threads:[~2007-10-23 15:20 UTC|newest]
Thread overview: 140+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <167451.96128.qm@web38607.mail.mud.yahoo.com>
2007-10-18 2:18 ` LSM conversion to static interface Linus Torvalds
2007-10-19 20:26 ` Andreas Gruenbacher
2007-10-19 20:40 ` Linus Torvalds
2007-10-20 11:05 ` Jan Engelhardt
2007-10-20 22:57 ` James Morris
2007-10-21 22:59 ` Adrian Bunk
2007-10-23 4:09 ` LSM conversion to static interface [revert patch] Arjan van de Ven
2007-10-23 4:56 ` James Morris
2007-10-23 4:57 ` Arjan van de Ven
2007-10-23 5:16 ` Chris Wright
2007-10-23 9:10 ` Jan Engelhardt
2007-10-23 9:13 ` Chris Wright
2007-10-23 9:14 ` Jan Engelhardt
2007-10-24 0:31 ` Jeremy Fitzhardinge
2007-10-24 0:32 ` Chris Wright
2007-10-24 5:06 ` Arjan van de Ven
2007-10-24 11:50 ` Linux Security *Module* Framework (Was: LSM conversion to static interface Simon Arlott
2007-10-24 12:55 ` Adrian Bunk
2007-10-24 18:11 ` Linux Security *Module* Framework (Was: LSM conversion to static interface) Simon Arlott
2007-10-24 18:51 ` Jan Engelhardt
2007-10-24 18:59 ` Simon Arlott
2007-10-24 19:04 ` Jan Engelhardt
2007-10-24 21:02 ` David P. Quigley
2007-10-24 21:37 ` Serge E. Hallyn
2007-10-24 21:51 ` Jan Engelhardt
2007-10-24 22:02 ` David P. Quigley
2007-10-24 23:13 ` Jan Engelhardt
2007-10-25 1:50 ` david
2007-10-25 3:50 ` Kyle Moffett
2007-10-24 21:42 ` Jan Engelhardt
2007-10-24 21:58 ` Casey Schaufler
2007-10-24 22:04 ` David P. Quigley
2007-10-25 11:38 ` Simon Arlott
2007-10-24 20:18 ` Crispin Cowan
2007-10-24 20:46 ` Jan Engelhardt
2007-10-24 21:29 ` Casey Schaufler
2007-10-24 22:31 ` Adrian Bunk
2007-10-24 22:58 ` Casey Schaufler
2007-10-24 23:32 ` Adrian Bunk
2007-10-24 23:42 ` Linus Torvalds
2007-10-25 0:41 ` Chris Wright
2007-10-25 2:19 ` Arjan van de Ven
2007-10-30 3:37 ` Toshiharu Harada
2007-10-25 1:03 ` Casey Schaufler
2007-10-25 0:23 ` Chris Wright
2007-10-25 0:35 ` Ray Lee
2007-10-25 1:26 ` Peter Dolding
2007-10-25 1:41 ` Alan Cox
2007-10-25 2:11 ` david
2007-10-25 18:17 ` Ray Lee
2007-10-25 22:21 ` Alan Cox
2007-10-26 3:45 ` david
2007-10-26 5:44 ` Peter Dolding
2007-10-27 18:29 ` Pavel Machek
2007-10-28 18:48 ` Hua Zhong
2007-10-28 19:05 ` Hua Zhong
2007-10-28 22:08 ` Crispin Cowan
2007-10-28 22:50 ` Alan Cox
2007-11-26 20:42 ` serge
2007-10-28 23:55 ` Peter Dolding
2007-10-29 5:12 ` Arjan van de Ven
2007-10-25 9:19 ` Bernd Petrovitsch
2007-10-25 16:04 ` Ray Lee
2007-10-25 17:10 ` Arjan van de Ven
2007-10-30 9:41 ` Bernd Petrovitsch
2007-10-25 1:42 ` Casey Schaufler
2007-10-27 18:22 ` Pavel Machek
2007-10-28 19:42 ` Linux Security *Module* Framework Tilman Schmidt
2007-10-28 20:46 ` Jan Engelhardt
2007-10-30 3:23 ` Linux Security *Module* Framework (Was: LSM conversion to static interface) Toshiharu Harada
2007-10-30 8:40 ` Jan Engelhardt
2007-10-30 8:50 ` Crispin Cowan
2007-10-30 9:27 ` Jan Engelhardt
2007-10-30 9:21 ` Toshiharu Harada
2007-10-25 11:44 ` Simon Arlott
2007-10-25 23:09 ` Tilman Schmidt
2007-10-26 2:56 ` Greg KH
2007-10-26 7:09 ` Jan Engelhardt
2007-10-26 15:54 ` Greg KH
2007-10-26 9:46 ` Tilman Schmidt
2007-10-26 15:58 ` Greg KH
2007-10-26 16:32 ` Simon Arlott
2007-10-27 14:07 ` eradicating out of tree modules (was: Linux Security *Module* Framework) Tilman Schmidt
2007-10-28 1:21 ` Adrian Bunk
2007-10-26 23:26 ` Linux Security *Module* Framework (Was: LSM conversion to static interface) Adrian Bunk
2007-10-27 14:47 ` eradicating out of tree modules (was: : Linux Security *Module* Framework) Tilman Schmidt
2007-10-27 17:31 ` eradicating out of tree modules Stefan Richter
2007-10-28 0:55 ` eradicating out of tree modules (was: : Linux Security *Module* Framework) Adrian Bunk
2007-10-28 9:25 ` eradicating out of tree modules Stefan Richter
2007-10-28 12:01 ` Tilman Schmidt
2007-10-28 14:37 ` Stefan Richter
2007-10-28 14:59 ` Simon Arlott
2007-10-28 16:55 ` Tilman Schmidt
2007-10-28 18:51 ` Tilman Schmidt
2007-10-28 19:25 ` Adrian Bunk
2007-10-30 0:29 ` Tilman Schmidt
2007-10-30 13:11 ` linux-os (Dick Johnson)
2007-10-30 13:19 ` Xavier Bestel
2007-10-30 15:30 ` Greg KH
2007-10-29 23:51 ` Out-of-tree modules [was: Linux Security *Module* Framework] Jan Engelhardt
2007-10-30 0:46 ` Lee Revell
2007-10-30 1:19 ` Jan Engelhardt
2007-10-27 14:08 ` Linux Security *Module* Framework (Was: LSM conversion to static interface Tetsuo Handa
2007-11-05 6:42 ` Crispin Cowan
2007-10-23 9:13 ` Jan Engelhardt
2007-10-23 5:44 ` Giacomo Catenazzi
2007-10-23 8:55 ` Jan Engelhardt
2007-10-23 9:14 ` Giacomo A. Catenazzi
2007-10-23 9:18 ` Jan Engelhardt
2007-10-23 15:20 ` Serge E. Hallyn [this message]
2007-10-23 15:28 ` Jan Engelhardt
2007-10-23 15:34 ` Serge E. Hallyn
2007-10-25 10:23 ` Valdis.Kletnieks
2007-10-19 21:07 ` James Morris
2007-10-22 1:12 ` Crispin Cowan
2007-10-25 11:33 Jan Engelhardt
2007-10-26 10:40 ` Samir Bellabes
-- strict thread matches above, loose matches on Subject: below --
2007-10-22 17:00 Thomas Fricaccia
2007-10-22 17:12 ` Alan Cox
2007-10-22 17:13 ` Greg KH
2007-10-23 5:14 ` Crispin Cowan
2007-10-23 5:32 ` david
2007-10-23 11:38 ` Simon Arlott
2007-10-23 5:53 ` Giacomo Catenazzi
2007-10-23 7:12 ` Crispin Cowan
2007-10-23 8:17 ` Giacomo A. Catenazzi
2007-10-24 3:41 ` Greg KH
2007-10-22 2:24 Thomas Fricaccia
2007-10-22 3:59 ` Greg KH
2007-10-22 17:47 ` Avi Kivity
2007-10-23 16:05 ` Adrian Bunk
2007-10-23 16:52 ` Geert Uytterhoeven
2007-10-22 10:07 ` Alan Cox
2007-10-22 16:10 ` Crispin Cowan
2007-10-22 16:50 ` Alan Cox
2007-10-22 16:56 ` Greg KH
2007-10-18 1:34 Thomas Fricaccia
2007-10-18 2:03 ` Casey Schaufler
2007-10-18 2:21 ` Linus Torvalds
2007-10-18 3:06 ` Arjan van de Ven
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071023152005.GA13767@vino.hallyn.com \
--to=serge@hallyn.com \
--cc=agruen@suse.de \
--cc=cate@debian.org \
--cc=jengelh@computergmbh.de \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=thomas_fricacci@yahoo.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.