From: "Paul D. Robertson" <proberts@clark.net>
Subject: Re: RC separation of duty
Date: Mon, 8 Nov 1999 08:52:04 -0500 (EST)
Next Article (by Subject): Re: RC separation of duty ao@morpork.shnet.org (A. Ott)
Previous Article (by Subject): Re: RC separation of duty ao@morpork.shnet.org (A. Ott)
Top of Thread: RC separation of duty ao@morpork.shnet.org (A. Ott)
Next in Thread: Re: RC separation of duty ao@morpork.shnet.org (A. Ott)
Articles sorted by: [Date]
[Author]
[Subject]
On 8 Nov 1999, A. Ott wrote: > > For instance, SYSADMIN needs to log in via /usr/local/sbin/sshd, > > otherwise the maximum role privilege you can use is USER. I don't mind > > having to fix sshd to do some sort of RSBAC call. > > No, this concept is not (yet) included in RC. You can only use AUTH model > to limit the list of users /bin/login may change to. This was my original > idea of login path limiting. > > Maybe I should allow a negative AUTH capability list, meaning 'every user > but the listed ones'. Or a range setting. Here's what I'm thinking of trying to accomplish: Let's say we have an ID called foo, and it's got the sysadmin role normally. If foo logs in from the console, or SSH's in, I'd like it to be SYSADMIN, but if foo telnets in, I don't want the ID to be able to go higher than USER. This gives me the ability to extend trust based on where an ID is coming from. Eventually, I'd like to add source address or interfaces to the model. eth0 could be my Internet interface and never get beyond USER, where eth1 could be my private network and have SYSADMIN and the console could have SECURITY OFFICER. Maybe there's a better or more logical way to accomplish what I'd like to do. DG/UX B2 allowed MAC limits per IP/interface/program/ID... So I could set the default MAC to an untrusted value, then any ID or process that wasn't spawned from a trusted network would never be able to break out of the MAC box. You could compromise an admin ID and password, but if you weren't coming from a trusted location it didn't buy you anything. Likewise, compromising a daemon from an untrusted path still kept you at an untrusted level because the MAC set on the path couldn't dominate anything else on the box. Negative auth would be useful for setting daemons and users that aren't shell users out, but I'm not sure it gets me any closer to the above? Would a trusted /bin/rsbaclogin make sense at this point? Maybe having something extensible that could set role and MAC attributes as a part of the TCB is the way to go. Are RSBAC calls to do this available and easily used? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 - To unsubscribe from the rsbac list, send a mail to majordomo@morpork.shnet.org with unsubscribe rsbac as single line in the body.
Next Article (by Subject): Re: RC separation of duty ao@morpork.shnet.org (A. Ott)
Previous Article (by Subject): Re: RC separation of duty ao@morpork.shnet.org (A. Ott)
Top of Thread: RC separation of duty ao@morpork.shnet.org (A. Ott)
Next in Thread: Re: RC separation of duty ao@morpork.shnet.org (A. Ott)
Articles sorted by: [Date]
[Author]
[Subject]