[1710] in linux-security and linux-alert archive
[linux-security] Re: Re: Re: Towards a solution of tmp-file problems
daemon@ATHENA.MIT.EDU (Sam Holden)
Fri Mar 13 05:16:22 1998
To: linux-security@redhat.com
In-Reply-To: Your message of "Thu, 12 Mar 1998 08:36:40 +1100."
<199803112136.IAA23600@gidora.zeta.org.au>
Date: Fri, 13 Mar 1998 10:23:05 +1100
From: Sam Holden <sholden@pgrad.cs.usyd.edu.au>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
In message <199803112136.IAA23600@gidora.zeta.org.au>, Nick Andrew writes:
>Forwarding a message from Rogier Wolff:
<SNIP>
>I think the final suggestion in particular is the only one which will
>protect non-security-conscious scripts yet still allow child processes
>of these scripts to share temp files without any possibility of unrelated
>processes affecting same files. And the reason for that is that the
>private namespace access can be imposed from above.
>
>For example (and this is only an example), a private namespace may be
>assigned for each user at login time (at the level of the login shell).
>Thus, the user's "ls" commands see files in whatever directory the
>private namespace is rooted, and for all intents and purposes it appears
>to be an ordinary filesystem. Yet no other users can see this. User runs
>unprivileged shell scripts, and shell scripts use this namespace. User
>runs setuid shell scripts (shudders) and top-level setuid script defines
>a private namespace which works for that process and all its children.
>User's unrelated processes can't see the second private namespace but
>not-particularly-security-conscious child processes of the setuid one
>(e.g. sort) can, and their temp files are not visible to the user or to
>any other user.
It's the obvious way to do it to me. Just 'steal' the plan 9 code for mounting
directories on a per-process basis, with options to fork() which allow those
changes to the directory structure to be visible to child processes or not. Plus
a change can be made 'permanent' such that child processes can't undo it.
ie. /$HOME/tmp replaces tmp which would be done by login or something
similar. Everything stays the same except security conscience programs and
'sharing' programs that use tmp for IPC or whatever.
For security programs a wrapper around them replaces /tmp ($HOME/tmp)
with a 'secure' directory it constructed for the 'secure' program, for other
programs is 'merges' the two directories, so that /tmp now appears to
contain all the stuff in both $HOME/tmp and the 'secure' directory.
For IPC purposes a wrapper would have to replace /tmp with /mnt/ipc or
similar...
Because tmp is used for may purposes a solution that requires no client
code changes may be impossible (how do you know if the file is meant
to be secure or meant to be shared?).
Sam
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null