[1711] in linux-security and linux-alert archive
[linux-security] Re: Re: Re: Towards a solution of tmp-file problems
daemon@ATHENA.MIT.EDU (Andrew R. Baker)
Fri Mar 13 05:38:58 1998
Date: Thu, 12 Mar 1998 10:02:19 -0600 (CST)
From: "Andrew R. Baker" <andrewb@uab.edu>
Reply-To: "Andrew R. Baker" <andrewb@uab.edu>
To: linux-security@redhat.com
Cc: nick@zeta.org.au
In-Reply-To: <199803112136.IAA23600@gidora.zeta.org.au>
Resent-From: linux-security@redhat.com
On Thu, 12 Mar 1998, Nick Andrew wrote:
[snip]
> I think the final suggestion in particular is the only one which will
> protect non-security-conscious scripts yet still allow child processes
> of these scripts to share temp files without any possibility of unrelated
> processes affecting same files. And the reason for that is that the
> private namespace access can be imposed from above.
>
> For example (and this is only an example), a private namespace may be
> assigned for each user at login time (at the level of the login shell).
> Thus, the user's "ls" commands see files in whatever directory the
> private namespace is rooted, and for all intents and purposes it appears
> to be an ordinary filesystem. Yet no other users can see this. User runs
> unprivileged shell scripts, and shell scripts use this namespace. User
> runs setuid shell scripts (shudders) and top-level setuid script defines
> a private namespace which works for that process and all its children.
> User's unrelated processes can't see the second private namespace but
> not-particularly-security-conscious child processes of the setuid one
> (e.g. sort) can, and their temp files are not visible to the user or to
> any other user.
Maybe I'm not quite awake enough yet (and if so just ignore me), but this
looks very similar to what 'chroot' does.
Taken from the chroot(2) manpage:
DESCRIPTION
chroot changes the root directory to that specified in
path. This directory will be used for path name beginning
with /. The root directory is inherited by all children
of the current process.
Only the super-user may change the root directory.
This provides a "jail" in which to run the process that theoretically
can't be escaped. It just needs to be used in such a way that no other
process can get in either.
-Andrew
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null