[1711] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Re: Re: Towards a solution of tmp-file problems

daemon@ATHENA.MIT.EDU (Andrew R. Baker)
Fri Mar 13 05:38:58 1998

Date: Thu, 12 Mar 1998 10:02:19 -0600 (CST)
From: "Andrew R. Baker" <andrewb@uab.edu>
Reply-To: "Andrew R. Baker" <andrewb@uab.edu>
To: linux-security@redhat.com
Cc: nick@zeta.org.au
In-Reply-To: <199803112136.IAA23600@gidora.zeta.org.au>
Resent-From: linux-security@redhat.com



On Thu, 12 Mar 1998, Nick Andrew wrote:
[snip] 
> I think the final suggestion in particular is the only one which will
> protect non-security-conscious scripts yet still allow child processes
> of these scripts to share temp files without any possibility of unrelated
> processes affecting same files. And the reason for that is that the
> private namespace access can be imposed from above.
> 
> For example (and this is only an example), a private namespace may be
> assigned for each user at login time (at the level of the login shell).
> Thus, the user's "ls" commands see files in whatever directory the
> private namespace is rooted, and for all intents and purposes it appears
> to be an ordinary filesystem. Yet no other users can see this. User runs
> unprivileged shell scripts, and shell scripts use this namespace. User
> runs setuid shell scripts (shudders) and top-level setuid script defines
> a private namespace which works for that process and all its children.
> User's unrelated processes can't see the second private namespace but
> not-particularly-security-conscious child processes of the setuid one
> (e.g. sort) can, and their temp files are not visible to the user or to
> any other user.

Maybe I'm not quite awake enough yet (and if so just ignore me), but this
looks very similar to what 'chroot' does.  

  Taken from the chroot(2) manpage:

DESCRIPTION
       chroot  changes  the  root  directory to that specified in
       path.  This directory will be used for path name beginning
       with  /.   The root directory is inherited by all children
       of the current process.

       Only the super-user may change the root directory.


This provides a "jail" in which to run the process that theoretically
can't be escaped.  It just needs to be used in such a way that no other
process can get in either.


-Andrew

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post