[1707] in linux-security and linux-alert archive
[linux-security] Re: Re: Re: Towards a solution of tmp-file problems
daemon@ATHENA.MIT.EDU (Adam Morris)
Fri Mar 13 02:15:31 1998
From: "Adam Morris" <Adam.Morris@onyx.net>
To: "linux-security@redhat.com" <linux-security@redhat.com>,
"Nick Andrew" <nick@zeta.org.au>
Cc: "nick@zeta.org.au" <nick@zeta.org.au>
Date: Thu, 12 Mar 98 11:51:56
Reply-To: "Adam Morris" <Adam.Morris@onyx.net>
Resent-From: linux-security@redhat.com
>
>For example (and this is only an example), a private namespace may be
>assigned for each user at login time (at the level of the login shell).
>Thus, the user's "ls" commands see files in whatever directory the
>private namespace is rooted, and for all intents and purposes it appears
>to be an ordinary filesystem. Yet no other users can see this. User runs
>unprivileged shell scripts, and shell scripts use this namespace. User
>runs setuid shell scripts (shudders) and top-level setuid script defines
>a private namespace which works for that process and all its children.
>User's unrelated processes can't see the second private namespace but
>not-particularly-security-conscious child processes of the setuid one
>(e.g. sort) can, and their temp files are not visible to the user or to
>any other user.
>
This sounds an awful lot like the multi level file system stuff of CMW
(Compartmented Mode Workstation) which has Levels, and Compartments.
Think of this as a matrix with
Levels going across the way, and Compartments going down the way. A
level dominates all levels below it, but compartments do not dominate
each other. i.e. a process at level 2 compartments 4 and 5 "dominates"
anything at level 1 or level 2 with either no compartments,
compartment 4, compartment 5 or both compartments 4 and 5. (i.e. l1,
l1c4, l1c5, l1c4c5, l2, l2c4, l2c5, l2c4c5). The implementation I know
uses a mixture of modified kernel and modified file systems. Processes
are allowed to read down (i.e. read anything they dominate) but "write
up" in other words they can only write at their own level or something
even more restrictive.
The relevant bit here is when you get to /tmp. /tmp is a multilevel
directory. It appears to be a single directory, containing only stuff
at your current level/compartment settings. If you write to it, you
write at your current settings, and nothing that doesn't share your
settings can read it. In the case of tmp you can't even read down. It
is normal on CMW boxes to keep all of the system files at SYSLO (the
lowest possible level with no compartments) so that anything can read
them, but nothing can write to them.
There are of course special privileges which allow things to read
outside their compartments, and to write down. Anyway, having worked
with one of these beasts, it is worth remembering that, although it
would be possible to implement this from Linux (it requires rewriting
the kernel, the file systems, the libraries, and some of the
applications) it is a complete pain to use. ;-)
Adam
--
Adam Morris -- Onyx Internet -- Systems Engineer
http://www.onyx.net e-mail: Adam.Morris@onyx.net
vox: +44 (0)1642 216200 fax: +44 (0)1642 216201
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null