Comments on: Misunderstanding UNIX security

By: Toshi

Toshi — Wed, 15 Aug 2007 02:14:00 +0000

Dear Joshua,

First of all, I do apologize if you felt my message uncomfortable and not respectful for any reason. Believe me. I just didn’t mean it at all. Maybe I might have chosen the wrong place for my posting. Anyway, my points were:

Yes, path name can be varied (therefore path names should be taken care)
Yes, inode for given object is unaffected (unchanged) and it’s one of the advantages of the label based security.
No, the example shown above does not prove the path name MAC’s fatal shortage

You kindly took your time to attend TOMOYO Linux BoF at OLS2007 (I really appreciated that and your advice that’s why I’m reading your Blog), so I assume you know how I evaluate SELinux and label based MAC. I never say path based MAC is better or more reliable, but I think path based MAC can be used for some place as an “option” or supplemental tool.

Again, I apologize for my previous posting.

By: Joshua Brindle

Joshua Brindle — Mon, 13 Aug 2007 00:17:27 +0000

@Toshi

This example has nothing to do with path based access control mechanisms or TOMOYO, it has to do with how hardlinks work on unix systems and how DAC permissions are attached to the inode. Please be a little more respectful and try to understand the post in the future.

By: Toshi

Toshi — Mon, 30 Jul 2007 14:59:47 +0000

Brindle,

I’m afraid but your example is too simple minded and not realistic.

How come you can expect “# ln /etc/shadow /tmp/shadow” succeed?
Have you ever tried that with path-based MAC?

It will fail unless you explicitly grant it in the policy definition at least
with TOMOYO Linux.

By: Joel

Joel — Fri, 20 Jul 2007 14:32:14 +0000

@Vincent: the reason is that you prevented access to the DIRECTORY (and thus all files in the directory, simply because you cannot read the directory). If you were somehow able to get into the directory (by, for example, restoring rx permissions, cd-ing into the directory and then removing rx permissions again), you would find that you can indeed cat the file.

By: Vincent

Vincent — Fri, 20 Jul 2007 09:46:26 +0000

the UNIX permissions absolutely do not have anything to do with paths, only with inodes

As much as I agree that inode-based security is the way to go, there are times when your staement isn’t true. For example :

#mkdir d1 d2 #echo hello > d1/f1 #ln d1/f1 d2/f2 #ls -i d*/ d1/: 1479281 f1

d2/: 1479281 f2 #chmod -wrx d1 #cat d1/f1 cat: d1/f1: Permission denied #cat d2/f2 hello

By: Kototama

Kototama — Wed, 18 Jul 2007 17:35:07 +0000

Thanks to your blog know I understand far better why AppArmor and SELinux are not comparable and why the advertisement on AppArmor (they speak about “process containment” whereas its does only contains files accesses) is misleading. Thanks to you now I can see that AppArmor doesn’t do full MAC and other weakness.

By: Bruno Wolff III

Bruno Wolff III — Mon, 16 Jul 2007 19:06:17 +0000

Thanks for that information.
I probably ran across that somewhere but missed it; as I would expect the process and initial directory context to be used in determining the context of a newly created file. But most of what I had run across had either mentioned the ‘normal’ getting the context from the directory (independent of the process context) or dealt with relabelingand I had probably forgotten the better explanation.
I see that the data used for relabeling in Fedora is not the same as what was used to label files originally and is more dangerous than I previously thought. I also see why restorecond (in Fedora) might be used to keep users from accidentally leaving mislabeled config files in /etc. But also that one might not to run it and instead be more careful about editing config files instead.

By: Joshua Brindle

Joshua Brindle — Mon, 16 Jul 2007 18:03:11 +0000

Bruno:

Yes, the policy has type_transition statements that dictate how files get created. For example in the policy you might see something like:

type_transition user_t tmp_t : file user_tmp_t;

this means that if a process running as user_t (most user processes on the strict policy) creates a file in tmp_t (generally the label for the /tmp directory) then the file is created as user_tmp_t. This allows people to write files to /tmp and know that they won’t be accessible by other processes that aren’t allowed to read files with that label.

This is one huge advantage over path based mechanisms, if a sys admin logs in via ssh and has a key agent running the socket will be sysadm_sshd_tmp_t in /tmp, so it won’t be accessible by others, even if they have the same UID. However, since the ssh files are fairly random (/tmp/ssh-XXXXXXX) where the X’s are random numbers/letters path based mechanisms cannot protect them and instead rely on DAC to do so.

By: Bruno Wolff III

Bruno Wolff III — Mon, 16 Jul 2007 17:50:54 +0000

Is there a way to control what context is initially assigned to a newly created file? From what I’ve found so far it looks like files get the context of the containing directory and that if an application wants something different it needs to make another system call to change it.
It seems that there should be a way to control the context used for files created by an application without having them hard wired into the application or dependent on the application creating files only in certain directories. While policy can block creating files with inappropiate contexts, it doesn’t seem to be able to provide a way to default an appropiate one.

By: fa

fa — Sun, 15 Jul 2007 18:11:36 +0000

Hello, good post.
I know this is unrelated but would you mind writing about the SELinux policy server project, anyway thanks a lot