OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tzafrir Cohen (tzafrirtechnion.ac.il)
Date: Tue Jan 15 2002 - 18:49:12 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Wed, 16 Jan 2002, Edoardo Causarano wrote:

    > Having used ext2/3 ACLs as support to Samba's NT permission support I've
    > become quite fond of the system. In the first-install 'it works!' euphoria I
    > had a couple of ideas that were promply rejected in many UNIX, LUG ml;
    > nonetheless, I'm stubborn so here it goes:
    >
    > Imagine Linux/Unix makes it's way on the desktop and lusers start using all
    > sorts of warez, cool trojan, etc... any good sysadmin will start to long for
    > the days when *NIX was for the Ones! Imagine ~/.gnupg and ~/Documents being
    > lifted across the net to some ruthless leet crackz0r... PHB: 'man,I pay you
    > to prevent this crap!' Do we really want some M$ish EULA discaiming all
    > responsibility (even those claims of UNIX security... except in init 1)?
    >
    > So here you go:
    >
    > Sensitive files such as ~/.gnupg/* are accessible only to a specifically set
    > class of /usr/bin/app using ACL/EA. Any other access attempt should trigger a
    > console message or Gnome/KDE critical warning. So if a luser runs the latest
    > attached flash exe (I know: OutOfLuck runs exes when they are supposed to be
    > binary data files but nonetheless...) the system will trigger an alert. The
    > ~/.fileacl itself should be protected against vi and it's housekeeping
    > program (interactive only... pam authenticated...) and sensible global
    > /etc/fileacl rules would be enforced to help sysadmins.

    Just one question: How can a user backup sensetive data? How can the
    system back them up? Restore them?

    Do you give the user any procedure to backup the data to a different place
    of the user's choosing?

    If so, Joe Cracker, acting in the name of our beloved user (after getting
    hold of the passowrd or whatever) will just backup the data, and grab it.

    >
    > In the end it's something that protects the user from the system just as
    > /etc/passwd protects the latter from the former.
    >

    Do you want to protect from a compromise of the root account or from a
    compromise of the user account?

    Defending the system from root is not trivial. Basically root grants
    permissions. And even if root prevented root access to some files, root
    can re-frant those permissions. The approach of LIDS & co. (and also of
    the linux capabilities system) is to allow a weaker root to do some useful
    things. But you can't protect the system's data from the user that is
    supposed to backup this data.

    That is not tosay that ACLs don't have good uses, though. 

    -- 
Tzafrir Cohen
mailto:tzafrirtechnion.ac.il
http://www.technion.ac.il/~tzafrir

    For help, email discuss-helpmandrakesecure.net; to unsubscribe send a
message to discuss-unsubscribemandrakesecure.net.  To visit MandrakeSecure,
go to http://www.mandrakesecure.net/.