From: LA Walsh <xfs@tlinx.org>
To: Dave Chinner <david@fromorbit.com>
Cc: xfs-oss <xfs@oss.sgi.com>
Subject: Re: usefulness of 'security attr' being non-copiable on discretionary access linux.
Date: Sun, 15 Dec 2013 23:41:13 -0800 [thread overview]
Message-ID: <52AEAE99.7060001@tlinx.org> (raw)
In-Reply-To: <20131216030215.GW31386@dastard>
On 12/15/2013 7:02 PM, Dave Chinner wrote:
> It writes it into the "trusted" VFS xattr namespace which means it
> knows *nothing* about how XFS stores it's xattrs on disk.
----
I never said it was correct, Dave. At best, I thought it might have
represented some state in the past.
>> -----
>> I'm running with the "default" security (Discretionary -
>> mode bits + access lists + cap bits slowly supplanting need for root.
>
> So, did you turn the distro default selinux config off?
----
Suse ships AppArmor enabled by default, not selinux.
I run my own kernel from kernel.org sources. (Suse doesn't
support booting directly from disk, and /usr is expected
to be mounted when the OS starts coming up (they put mount in
/usr/bin now and a symlink in /bin pointing to /usr/bin.
> You missed what I said completely. You didn't create the NT attr,
> Samba did it on your behalf. Samba - the aplication that owns the
> xattr - has higher privileges than you do, and so it can do things
> you can't. Like manage attributes in the security namespace.
---
I didn't miss it -- I was talking about user-proxies. The point of
my running a linux server as a Domain Controller is that I have 1 point
of security on my net -- the server, and whether I log in to a client
or the server, I "should" (conceptually) have access to the same files.
If I ssh from the client to the server, I see a message in messages:
sshd accepted public key for Domain\\linda from [station]...
Samba provides user and group name resolution and security for the
server.
>> ====
>> As I tried to make clear -- this is a new behavior I'm seeing. I've never
>> had attrs on my files that I, as the file 'owner' couldn't move around
>> to permitted locations. As it is an ACL, my feeling is it should be
>> stored in the same way the posix acls are -- which are copyable.
>
> Then something above the filesystem has changed. We haven't changed
> anything to do with who or how xattrs are stored or used in XFS for
> a long time.
----
Neither the kernel nor xfs were high on my list of
candidates.
>
> Cheers,
---
and felicitations!...
linda
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
prev parent reply other threads:[~2013-12-16 7:41 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <52A96211.3050602@tlinx.org>
[not found] ` <20131212181315.GB20500@samba2>
[not found] ` <52AAC7CC.8000802@tlinx.org>
[not found] ` <20131213105314.GA2117@infradead.org>
2013-12-13 21:32 ` Security issue - storing NTACL's in non-NT-security-namespace L.A. Walsh
2013-12-13 22:08 ` Jeremy Allison
2013-12-13 22:14 ` L.A. Walsh
2013-12-13 23:20 ` Dave Chinner
2013-12-15 14:21 ` BTW - to xfs folk, 'security attr' doesn't seem very useful w/current copy policies L.A. Walsh
2013-12-15 23:54 ` Dave Chinner
2013-12-16 2:20 ` usefulness of 'security attr' being non-copiable on discretionary access linux LA Walsh
2013-12-16 3:02 ` Dave Chinner
2013-12-16 7:41 ` LA Walsh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52AEAE99.7060001@tlinx.org \
--to=xfs@tlinx.org \
--cc=david@fromorbit.com \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox