[rsbac] Protecting secoff from malicious root

Bencsath Boldizsar rsbac@rsbac.org
Sat, 2 Mar 2002 01:50:17 +0100 (CET)

> One way of protection would be to use a different way of login for secoff,
> e.g. via ssh, and disallow changing to secoff uid for /bin/login.
This is why I mentioned 'incompatible roles' as advancement. If only
a tramboline role can be used to get secoff role, and this tramboile role
has only very limited capabilities (e.g. run a wrapper) then this issue
can be controlled better. (I think...)

The other problem is the upgrade procedure of programs. It is quite boring
turning off setuid rights, upgrade software, turn on setuid rights, or
check capabilities etc.
An easy solution could be the following:

1.  something turns off all rsbac modules, and turns on an 'upgrade' state
2. If any 'write open' (etc.) functions occour on an inode, rsbac dumps
old attributes (like backup_all) to a special file.
3. After the upgrade procedure, this file could be sanitarized, so only
the first attribute dump should be left in the file
4. After this, the script can be used to make sure that every upgraded
file has the same attributes as before
5. turn on rsbac

... or something like this...