[1050] in linux-security and linux-alert archive
Re: System log practicalities (was Re: [linux-security] qmail,wu.ftpd,deslogind, in.telnetsnoopd ?)
daemon@ATHENA.MIT.EDU (Brian Mitchell)
Thu Aug 22 07:16:33 1996
Date: Wed, 21 Aug 1996 14:48:54 -0400 (EDT)
From: Brian Mitchell <brian@saturn.net>
To: Louis Mandelstam <louis@sacc.org.za>,
"Paul D. Robertson" <proberts@clark.net>,
Jonathan Larmour <JLarmour@origin-at.co.uk>,
Frank Parato <fparato@gti.net>, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.91.960820203123.174A-100000@tcpip>
On Tue, 20 Aug 1996, Brian Mitchell wrote:
> [REW: I thought that we had something like "securelevel" too, which
> would, given the right value, disable the clearing of those flags.
> One of the primary uses of the immutable and append-only flags are for
> the logfile case that we're looking at right now. I wouldn't consider
> it ready for inclusion in the standard kernel if it didn't make
> an attempt at being secure against a root-user. I can't find anything
> about this in my /usr/src/linux tree. Maybe it's just an optional patch
> that someone has lying around?]
Well, according to me brief browsing of a 2.x kernel (the specific one, I
do not recall) we now have securelevel and sysctl(). Previously, linux
did not. Im sure someone involved in e2fs development can shed more light
on this though.
[REW: Just some source browsing found:
/*
* The IMMUTABLE and APPEND_ONLY flags can only be changed by
* the super user when the security level is zero.
*/
if ((flags & (EXT2_APPEND_FL | EXT2_IMMUTABLE_FL)) ^
(inode->u.ext2_i.i_flags &
(EXT2_APPEND_FL | EXT2_IMMUTABLE_FL))) {
/* This test looks nicer. Thanks to Pauline Middelink */
if (!fsuser() || securelevel > 0)
return -EPERM;
} else
if ((current->fsuid != inode->i_uid) && !fsuser())
return -EPERM;
so it should in principle be secure.]
Brian Mitchell brian@saturn.net
"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman