From: Amon Ott <ao@rsbac.org>
Subject: Re: Válasz: Protect rc file(s) from manual running
Date: Tue, 2 Oct 2001 10:31:39 +0200
Next Article (by Date): Re: rsbac dir Stanislav Ievlev
Previous Article (by Date): Re: rsbac dir Amon Ott
Top of Thread: Re: Válasz: Protect rc file(s) from manual running steve
Articles sorted by: [Date]
[Author]
[Subject]
On Tuesday 02 October 2001 07:34, Stanislav Ievlev wrote: > Problem with the scripts. > > Task: > 1) I have some bash script (e.g. to configure Firewall) > 2) This script uses some program (e.g. ipchains) for system configuration. > 3) I'm want to protect this configuration and script from changes. > > Problem: > I cannot use forced RC roles for the scripts, because when I start > script I really start interpreter (bash) with my (not forced) role. Then > this interpreter read data from the script and execute programs. > > Possible solution: > To use some simple wrapper, that executes script. > > Wrapper can use forced role , therefore, script (for Firewall > configuration) and program (ipchains) can be protected by RC. > Only wrapper can run this program and read this script. > > > P.S. May be Amon have better solution ? Scripts are a pain in the ... Just an untested idea: - Give /sbin/init an initial role 'Init Role', which is compatible with original root role. - When bootup has finished, the boot script calls sys_rsbac_rc_change_role(root-role) through a simple helper (see rc_role_wrap.c). - If necessary, the init process could get its final role set externally (would need MODIFY_ATTR on PROCESS) - All daemons which should run with normal root role are started through rc_role_wrap - If no other role is compatible with init-role, there is no way back. - Init role gets every access needed for bootup (copy from root role to start with) - Root role does not get access to special things, as you desire. We could even patch init to do the role change directly, but I do not like that. Amon. -- http://www.rsbac.org - To unsubscribe from the rsbac list, send a mail to majordomo@rsbac.org with unsubscribe rsbac as single line in the body.
Next Article (by Date): Re: rsbac dir Stanislav Ievlev
Previous Article (by Date): Re: rsbac dir Amon Ott
Top of Thread: Re: Válasz: Protect rc file(s) from manual running steve
Articles sorted by: [Date]
[Author]
[Subject]