Re: Válasz: Protect rc file(s) from manual running


From: Amon Ott <ao@rsbac.org>
Subject: Re: Válasz: Protect rc file(s) from manual running
Date: Tue, 2 Oct 2001 10:31:39 +0200

Next Article (by Date): Re: rsbac dir Stanislav Ievlev
Previous Article (by Date): Re: rsbac dir Amon Ott
Top of Thread: Re: Válasz: Protect rc file(s) from manual running steve
Articles sorted by: [Date] [Author] [Subject]


On Tuesday 02 October 2001 07:34, Stanislav Ievlev wrote:
> Problem with  the scripts.
>
> Task:
> 1) I have some bash script (e.g. to configure Firewall)
> 2) This script uses some program (e.g. ipchains) for system configuration.
> 3) I'm want to protect this configuration and script from changes.
>
> Problem:
> I cannot use forced RC roles for the scripts, because when I start
> script I really start interpreter (bash) with my (not forced) role. Then
> this interpreter read data from the script and execute programs.
>
> Possible solution:
> To use some simple wrapper, that executes script.
>
> Wrapper can use forced role , therefore, script (for Firewall
> configuration) and program (ipchains) can be protected by RC.
> Only wrapper can run this program and read this script.
>
>
> P.S. May be Amon have  better solution ?

Scripts are a pain in the ...

Just an untested idea:

- Give /sbin/init an initial role 'Init Role', which is compatible with 
original root role.
- When bootup has finished, the boot script calls 
sys_rsbac_rc_change_role(root-role) through a simple helper (see 
rc_role_wrap.c).
- If necessary, the init process could get its final role set externally 
(would need MODIFY_ATTR on PROCESS)
- All daemons which should run with normal root role are started through 
rc_role_wrap
- If no other role is compatible with init-role, there is no way back.
- Init role gets every access needed for bootup (copy from root role to start 
with)
- Root role does not get access to special things, as you desire.

We could even patch init to do the role change directly, but I do not like 
that.

Amon.
--
http://www.rsbac.org
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Date): Re: rsbac dir Stanislav Ievlev
Previous Article (by Date): Re: rsbac dir Amon Ott
Top of Thread: Re: Válasz: Protect rc file(s) from manual running steve
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.