Any access control mechanism that allow exceptions?

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* Any access control mechanism that allow exceptions?
@ 2005-08-06  7:08 Xin Zhao
  2005-08-06 10:25 ` Henrik Kretzschmar
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Xin Zhao @ 2005-08-06  7:08 UTC (permalink / raw)
  To: linux-kernel

Hi,

I want to lock down a directory to be read-only, say, /etc, for system
security. Unfortunately, some valid system tools might need to
create/modified files like "/etc/dhclient-eth0.conf".  To avoid
disrupting the normal running of those tools, I might have to allow
certain files to be created under /etc.

Is there any way that allows me to specify what files are allowed to
be created while locking down the whole directory at most of the time?

I think of adding an exception list as extend attributes of Ext3
filesystem, and changes the Ext3 filesystem to enforce the policy. But
this method looks awful.

Any elegant way to achieve this goal? 

Thanks

xin

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Any access control mechanism that allow exceptions?
  2005-08-06  7:08 Any access control mechanism that allow exceptions? Xin Zhao
@ 2005-08-06 10:25 ` Henrik Kretzschmar
  2005-08-07  1:20 ` Horst von Brand
  2005-08-08  7:20 ` Jan Engelhardt
  2 siblings, 0 replies; 4+ messages in thread
From: Henrik Kretzschmar @ 2005-08-06 10:25 UTC (permalink / raw)
  To: Xin Zhao; +Cc: linux-kernel

Xin Zhao wrote:
> Hi,
> 
> I want to lock down a directory to be read-only, say, /etc, for system
> security. Unfortunately, some valid system tools might need to
> create/modified files like "/etc/dhclient-eth0.conf".  To avoid
> disrupting the normal running of those tools, I might have to allow
> certain files to be created under /etc.
> 
> Is there any way that allows me to specify what files are allowed to
> be created while locking down the whole directory at most of the time?
> 
> I think of adding an exception list as extend attributes of Ext3
> filesystem, and changes the Ext3 filesystem to enforce the policy. But
> this method looks awful.
> 
> Any elegant way to achieve this goal? 
> 
> Thanks
> 
> xin

What about symbolic links to a writable directory?

Henni

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Any access control mechanism that allow exceptions?
  2005-08-06  7:08 Any access control mechanism that allow exceptions? Xin Zhao
  2005-08-06 10:25 ` Henrik Kretzschmar
@ 2005-08-07  1:20 ` Horst von Brand
  2005-08-08  7:20 ` Jan Engelhardt
  2 siblings, 0 replies; 4+ messages in thread
From: Horst von Brand @ 2005-08-07  1:20 UTC (permalink / raw)
  To: Xin Zhao; +Cc: linux-kernel

Xin Zhao <uszhaoxin@gmail.com> wrote:
> I want to lock down a directory to be read-only, say, /etc, for system
> security.

If root can bypass that somehow, it is useless anyway.

>           Unfortunately, some valid system tools might need to
> create/modified files like "/etc/dhclient-eth0.conf".  To avoid
> disrupting the normal running of those tools, I might have to allow
> certain files to be created under /etc.

Use standard permissions, or make affected files inmutable.
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Any access control mechanism that allow exceptions?
  2005-08-06  7:08 Any access control mechanism that allow exceptions? Xin Zhao
  2005-08-06 10:25 ` Henrik Kretzschmar
  2005-08-07  1:20 ` Horst von Brand
@ 2005-08-08  7:20 ` Jan Engelhardt
  2 siblings, 0 replies; 4+ messages in thread
From: Jan Engelhardt @ 2005-08-08  7:20 UTC (permalink / raw)
  To: Xin Zhao; +Cc: linux-kernel

>Hi,
>
>I want to lock down a directory to be read-only, say, /etc, for system
>security. Unfortunately, some valid system tools might need to
>create/modified files like "/etc/dhclient-eth0.conf".  To avoid
>disrupting the normal running of those tools, I might have to allow
>certain files to be created under /etc.

read-only-by-root is not enough?

*mumble* unionfs could help you in part.



Jan Engelhardt
-- 

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2005-08-08  7:20 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-06  7:08 Any access control mechanism that allow exceptions? Xin Zhao
2005-08-06 10:25 ` Henrik Kretzschmar
2005-08-07  1:20 ` Horst von Brand
2005-08-08  7:20 ` Jan Engelhardt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox