RE: RSBAC suggestions / Problems


From: Amon Ott <ao@rsbac.org>
Subject: RE: RSBAC suggestions / Problems
Date: Thu, 12 Jul 2001 10:26:45 +0200

Next Article (by Date): RE: RSBAC suggestions / Problems Amon Ott
Previous Article (by Date): Planning v1.2.0 owner-rsbac@compuniverse.de [mailto:owner-rsbac@compuniverse.de]On
Top of Thread: RSBAC suggestions / Problems "Kaladis"
Next in Thread: RE: RSBAC suggestions / Problems Amon Ott
Articles sorted by: [Date] [Author] [Subject]


On Mit, 11 Jul 2001 Kaladis wrote:
> > You and all others: Do you think, there should be a global RSBAC config
> switch
> > 'Disable Linux filesystem access control', which disables all Linux
> filesystem
> > access control in vfs_permission()?
> 
> I'm not very fond of the idea to disable that globally. Instead of having it
> globally I would have it inheritant to a chosen directory or so. Everything
> beeing RSBAC only is somewhat chaos IMO. The only good way for a global
> switch would be adding a script that reads all files and such and then
> automagically applies RSBAC rules so that all permissions are the same as
> before but RSBAC controlled - and from what point secure modification is
> possible.

An option in the way I described in my other message has been added, but it is
of course off by default and has a big warning in config help.

A program doing with ACLs exactly what you wrote has already come into my mind.
It would do the following:
- Take all Linux groups, e.g. from the /etc/group file, and create similar
(caller owned global) ACL groups
- recurse through all files and directories
- for each dir/file/fifo f1 with parent dir f2:
  1.) if owner(f1) == owner(f2) && group(f1) == group(f2) && mode(f1) ==
mode(f2) ((x on f2 && non-x on file/fifo f1) || (x on f2 && x on dir f1))
  then continue (ACL inheritance)
  2.) else: Set an ACL entry each for owner, group, group everyone (if
other-bits set) and root (optional) with respective rights, set mask to special
ACL rights only
- Optionally, root might just be given 'ACCESS_CONTROL' or 'SUPERVISOR' at
FD :DEFAULT:

I might actually start coding this program anyway, it could be very useful.

Amon.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Date): RE: RSBAC suggestions / Problems Amon Ott
Previous Article (by Date): Planning v1.2.0 owner-rsbac@compuniverse.de [mailto:owner-rsbac@compuniverse.de]On
Top of Thread: RSBAC suggestions / Problems "Kaladis"
Next in Thread: RE: RSBAC suggestions / Problems Amon Ott
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.