Any access control mechanism that allow exceptions?

Any access control mechanism that allow exceptions?

[Xin Zhao]

Hi,

I want to lock down a directory to be read-only, say, /etc, for system
security. Unfortunately, some valid system tools might need to
create/modified files like "/etc/dhclient-eth0.conf".  To avoid
disrupting the normal running of those tools, I might have to allow
certain files to be created under /etc.

Is there any way that allows me to specify what files are allowed to
be created while locking down the whole directory at most of the time?

I think of adding an exception list as extend attributes of Ext3
filesystem, and changes the Ext3 filesystem to enforce the policy. But
this method looks awful.

Any elegant way to achieve this goal? 

Thanks

xin

Re: Any access control mechanism that allow exceptions?

[Henrik Kretzschmar]

Xin Zhao wrote:
> Hi,
> 
> I want to lock down a directory to be read-only, say, /etc, for system
> security. Unfortunately, some valid system tools might need to
> create/modified files like "/etc/dhclient-eth0.conf".  To avoid
> disrupting the normal running of those tools, I might have to allow
> certain files to be created under /etc.
> 
> Is there any way that allows me to specify what files are allowed to
> be created while locking down the whole directory at most of the time?
> 
> I think of adding an exception list as extend attributes of Ext3
> filesystem, and changes the Ext3 filesystem to enforce the policy. But
> this method looks awful.
> 
> Any elegant way to achieve this goal? 
> 
> Thanks
> 
> xin

What about symbolic links to a writable directory?

Henni

Re: Any access control mechanism that allow exceptions?

[Horst von Brand]

Xin Zhao <uszhaoxin@gmail.com> wrote:
> I want to lock down a directory to be read-only, say, /etc, for system
> security.

If root can bypass that somehow, it is useless anyway.

>           Unfortunately, some valid system tools might need to
> create/modified files like "/etc/dhclient-eth0.conf".  To avoid
> disrupting the normal running of those tools, I might have to allow
> certain files to be created under /etc.

Use standard permissions, or make affected files inmutable.
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513

Re: Any access control mechanism that allow exceptions?

[Jan Engelhardt]

>Hi,
>
>I want to lock down a directory to be read-only, say, /etc, for system
>security. Unfortunately, some valid system tools might need to
>create/modified files like "/etc/dhclient-eth0.conf".  To avoid
>disrupting the normal running of those tools, I might have to allow
>certain files to be created under /etc.

read-only-by-root is not enough?

*mumble* unionfs could help you in part.



Jan Engelhardt
--