Re: root access to block disk devices


From: Amon Ott <ao@rsbac.org>
Subject: Re: root access to block disk devices
Date: Mon, 16 Jul 2001 17:34:19 +0200

Next Article (by Date): Re: root access to block disk devices Amon Ott
Previous Article (by Date): Re: Several questions Amon Ott
Top of Thread: root access to block disk devices steve
Next in Thread: Re: root access to block disk devices Amon Ott
Articles sorted by: [Date] [Author] [Subject]


On Sam, 14 Jul 2001 steve wrote:
> 	I'm trying to prevent root from accessing my disk devices directly. 
> Using ACLs, I've been successful in preventing root from doing an 'ls -l
> /dev/sda' (not what I really want), but 'strings /dev/sda' still works. 
> I would like to prevent root from reading/writing directly to any
> /dev/sda* file.
> 	I've modified the inherit masks on /dev/sda for both FD and DEV targets
> and removed all access.  This still doesn't prevent root from reading
> /dev/sda directly.

Congratulations, you found a bug in the ACL code. The inheritance mask was not
applied correctly for DEV and SCD items.

The bug has been fixed in my tree, you will see the correct behaviour in pre8.

> I've discovered that root can't read /dev/mem or /dev/kmem.  How are
> these protections being setup?

As SCD target kmem, additional to the device.
 
> I'm using the rsbac_menu for configuration.  Are all necessary options
> for ACLs, FF, AUTH, and RC available through the menu?   Maybe that's my
> problem.

They should all be accessible from there. Only bug descriptions are missing...
;)

Amon.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Date): Re: root access to block disk devices Amon Ott
Previous Article (by Date): Re: Several questions Amon Ott
Top of Thread: root access to block disk devices steve
Next in Thread: Re: root access to block disk devices Amon Ott
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.