R: access control by name, not inode


From: "Alberto Guglielmo" <a.guglielmo@tcpsas.com>
Subject: R: access control by name, not inode
Date: Mon, 10 Dec 2001 16:53:02 +0100

Next Article (by Subject): RC redirection Stanislav Ievlev
Previous Article (by Subject): Re: Questions about REG-docs Amon Ott
Articles sorted by: [Date] [Author] [Subject]


I think that if you assign a specific role to "passwd" and force the
file-creation-type of this role you can solve the problem. In this case also
/etc/passwd assumes the same rc-type of "shadow" which, in my applications,
has never lead to problems but.....
In between, I modified the passwd program so as to prohibit to "root" to
change the passwords of other users, and created a specific role, say
Password Administrator, which can set the passwords of all the users
(controls imbedded in the passwd program). All this to solve (or attenuate
at least ;) the problem of root that can change the password of the security
administrator and impersonate him.....
Regards

Alberto Guglielmo
a.guglielmo@tcpsas.com
Key Fingerprint:7EAF 9E34 2838 7C6B EE47  E8F0 FFC5 3CBC 90AA 5EEE
PGP Keys at:
http://pgpkeys.mit.edu:11371



-----Messaggio originale-----
Da: owner-rsbac@compuniverse.de [mailto:owner-rsbac@compuniverse.de]Per
conto di Arkady A Drovosekov
Inviato: lunedi 10 dicembre 2001 14.30
A: RSBAC List
Oggetto: access control by name, not inode


Hi,
is it possible to control an access by name of entity?
e.g.:
1 - I assign role to file A,
2 - program B (it has rights to do anything with file A) deletes this file
3 - program B create file with the same name A
4 - at this point it seems file A has no assigned role

passwd - such evil program ;-) , at least when you change password and
shadow
file (the victim) is used
--
Best regards,
Arkady
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Subject): RC redirection Stanislav Ievlev
Previous Article (by Subject): Re: Questions about REG-docs Amon Ott
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.