[rsbac] Válasz: Re: [rsbac] role set ff flags?

rsbac@rsbac.org rsbac@rsbac.org
Thu Nov 28 08:21:01 2002 

This is a multipart message in MIME format.
--=_alternative 0027CFD3C1256C7F_=
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

Like RedHat. /var/lib/rpm=20
Anno I tried to play with FF settings to achive same result. It is very=20
good for additional security but not as flexible as RC. I suggest you to=20
try to do the same with RC. Create new FD like VAR=5FFD. Set it to /var.=20
Give everybody the same rights as with FF. Create a new FD e.g. VAR=5FAP=5F=
FD=20
for /var/adm/packages and new role like RPM=5FRC for your packet manager.=20
Set up the necessary rights. Noone but your packet manager will be able to =

write and modify this directory.. See Amon's description on www.rsbac.org

By the way: setting and unsetting FF flags works OK but what happens=20
meantime? Some malicious code could do severe damage to your system. I=20
think setting flags on-fly is perhaps not the best solution. And do not=20
forget: if you can switch it off , someone else could also do it.

Best regards,

Gabor=20
ghorvath@minolta.hu





"Josh Beagley" <j.beagley@student.qut.edu.au>
Felad=F3: rsbac-admin@rsbac.org
2002.11.27 16:18
K=E9rem, v=E1laszoljon ennek a szem=E9lynek: rsbac

=20
                  C=EDmzett:      rsbac@rsbac.org
                  M=E1solat:=20
                     T=E1rgy:     Re: [rsbac] role set ff flags?


>=A0On Wednesday, 27. November 2002 15:10, Josh Beagley wrote:
>=A0> I am currently A slackware user, and and ideally wanted to have
>=A0my /var > directories except run and some others set to
>=A0no=5Fdelete=5For=5Frename and  > no=5Fexecute with ff=5Fflags. However =
the
>=A0slackware install programs need write > access whenever I choose
>=A0to install/uninstall packages. Is it possible for > a role to
>=A0set/unset FF flags?
>=A0
>=A0The FF model requires a user with FF role set to Security Officer
>=A0to (un)set  flags.
>=A0
>=A0What is the problem here? You can do everything with and inside
>=A0the dir,  except rename or delete the dir itself. If the
>=A0installer needs to run  programs somewhere below, then you need
>=A0another solution.
>=A0
>=A0Amon.
>=A0--
>=A0http://www.rsbac.org
>=A0=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
>=A0rsbac mailing list
>=A0rsbac@rsbac.org
>=A0http://www.rsbac.org/mailman/listinfo/rsbac


Apoligies, I also had append=5Fonly. The slackware installer keeps track of
instlled packages by writing the package name to /var/adm/packages and
filling it with the location of files. I was wanting to only have it unset
append=5Fonly when the installer was run, and unset append=5Fonly and
no=5Fdelete=5For=5Frename when the uninstaller was run.
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
rsbac mailing list
rsbac@rsbac.org
http://www.rsbac.org/mailman/listinfo/rsbac



--=_alternative 0027CFD3C1256C7F_=
Content-Type: text/html; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable


<br><font size=3D2 face=3D"sans-serif">Like RedHat. /var/lib/rpm </font>
<br><font size=3D2 face=3D"sans-serif">Anno I tried to play with FF setting=
s to achive same result. It is very good for additional security but not as=
 flexible as RC. I suggest you to try to do the same with RC. Create new FD=
 like VAR=5FFD. Set it to /var. Give everybody the same rights as with FF. =
Create a new FD e.g. VAR=5FAP=5FFD for /var/adm/packages and new role like =
RPM=5FRC for your packet manager. Set up the necessary rights. Noone but yo=
ur packet manager will be able to write and modify this directory.. See Amo=
n's description on www.rsbac.org</font>
<br>
<br><font size=3D2 face=3D"sans-serif">By the way: setting and unsetting FF=
 flags works OK but what happens meantime? Some malicious code could do sev=
ere damage to your system. I think setting flags on-fly is perhaps not the =
best solution. And do not forget: if you can switch it off , someone else c=
ould also do it.</font>
<br>
<br><font size=3D2 face=3D"sans-serif">Best regards,</font>
<br>
<br><font size=3D2 face=3D"sans-serif">Gabor </font>
<br><font size=3D2 face=3D"sans-serif">ghorvath@minolta.hu</font>
<br>
<br>
<br>
<br>
<table width=3D100%>
<tr valign=3Dtop>
<td>
<td><font size=3D1 face=3D"sans-serif"><b>&quot;Josh Beagley&quot; &lt;j.be=
agley@student.qut.edu.au&gt;</b></font>
<br><font size=3D1 face=3D"sans-serif">Felad=F3: rsbac-admin@rsbac.org</fon=
t>
<p><font size=3D1 face=3D"sans-serif">2002.11.27 16:18</font>
<br><font size=3D1 face=3D"sans-serif">K=E9rem, v=E1laszoljon ennek a szem=
=E9lynek: rsbac</font>
<br>
<td><font size=3D1 face=3D"Arial">&nbsp; &nbsp; &nbsp; &nbsp; </font>
<br><font size=3D1 face=3D"sans-serif">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &=
nbsp; &nbsp; &nbsp; &nbsp; C=EDmzett: &nbsp; &nbsp; &nbsp; &nbsp; rsbac@rsb=
ac.org</font>
<br><font size=3D1 face=3D"sans-serif">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &=
nbsp; &nbsp; &nbsp; &nbsp; M=E1solat: &nbsp; &nbsp; &nbsp; &nbsp; </font>
<br><font size=3D1 face=3D"sans-serif">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &=
nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;T=E1rgy: &nbsp; &nbsp; &nbsp; &nbsp=
; Re: [rsbac] role set ff flags?</font></table>
<br>
<br>
<br><font size=3D2 face=3D"Courier New">&gt;=A0On Wednesday, 27. November 2=
002 15:10, Josh Beagley wrote:<br>
&gt;=A0&gt; I am currently A slackware user, and and ideally wanted to have=
<br>
&gt;=A0my /var &gt; directories except run and some others set to<br>
&gt;=A0no=5Fdelete=5For=5Frename and &nbsp;&gt; no=5Fexecute with ff=5Fflag=
s. However the<br>
&gt;=A0slackware install programs need write &gt; access whenever I choose<=
br>
&gt;=A0to install/uninstall packages. Is it possible for &gt; a role to<br>
&gt;=A0set/unset FF flags?<br>
&gt;=A0<br>
&gt;=A0The FF model requires a user with FF role set to Security Officer<br>
&gt;=A0to (un)set &nbsp;flags.<br>
&gt;=A0<br>
&gt;=A0What is the problem here? You can do everything with and inside<br>
&gt;=A0the dir, &nbsp;except rename or delete the dir itself. If the<br>
&gt;=A0installer needs to run &nbsp;programs somewhere below, then you need=
<br>
&gt;=A0another solution.<br>
&gt;=A0<br>
&gt;=A0Amon.<br>
&gt;=A0--<br>
&gt;=A0http://www.rsbac.org<br>
&gt;=A0=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
<br>
&gt;=A0rsbac mailing list<br>
&gt;=A0rsbac@rsbac.org<br>
&gt;=A0http://www.rsbac.org/mailman/listinfo/rsbac<br>
<br>
<br>
Apoligies, I also had append=5Fonly. The slackware installer keeps track of=
<br>
instlled packages by writing the package name to /var/adm/packages and<br>
filling it with the location of files. I was wanting to only have it unset<=
br>
append=5Fonly when the installer was run, and unset append=5Fonly and<br>
no=5Fdelete=5For=5Frename when the uninstaller was run.<br>
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F<br>
rsbac mailing list<br>
rsbac@rsbac.org<br>
http://www.rsbac.org/mailman/listinfo/rsbac<br>
</font>
<br>
<br>
--=_alternative 0027CFD3C1256C7F_=--