Re: access control by name, not inode


From: Amon Ott <ao@rsbac.org>
Subject: Re: access control by name, not inode
Date: Mon, 10 Dec 2001 18:47:51 +0100

Next Article (by Subject): RE: access control by name, not inode Jörgen_Sigvardsson
Previous Article (by Subject): access control by name, not inode Arkady A Drovosekov
Top of Thread: access control by name, not inode Arkady A Drovosekov
Next in Thread: RE: access control by name, not inode Jörgen_Sigvardsson
Articles sorted by: [Date] [Author] [Subject]


On Monday, 10. December 2001 14:29, Arkady A Drovosekov wrote:
> Hi,
> is it possible to control an access by name of entity?
> e.g.:
> 1 - I assign role to file A,
> 2 - program B (it has rights to do anything with file A) deletes this file
> 3 - program B create file with the same name A
> 4 - at this point it seems file A has no assigned role
>
> passwd - such evil program ;-) , at least when you change password and
> shadow file (the victim) is used

Sorry, no. RSBAC is inode based, because several names can point to the same 
file.

What I do is use a shell script wrapper around passwd, which gets a forced 
role, calls passwd and then sets the types for /etc/passwd etc. to the 
desired values. Ugly, but works.

Amon.
--
http://www.rsbac.org
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Subject): RE: access control by name, not inode Jörgen_Sigvardsson
Previous Article (by Subject): access control by name, not inode Arkady A Drovosekov
Top of Thread: access control by name, not inode Arkady A Drovosekov
Next in Thread: RE: access control by name, not inode Jörgen_Sigvardsson
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.