[rsbac] ACLs and Samba

Amon Ott ao at rsbac.org
Wed Apr 30 10:46:25 MEST 2003


On Tuesday, 29. April 2003 18:10, Alexander E. Cuttergo wrote:
> On Tuesday, 29 Apr 2003 16:26:33 +0200, Amot Ott wrote:
> >> Ok. As I understand the standard Unix users and special ACL groups
> >> can be subjects for ACLs but not the standard Unix groups. Is that
> >> correct and what is the reason for this?
> >
> > It is correct.
> >
> > The reason is that the standard Unix group administration is insecure: It
> > usually only depends on an uncontrolled editing of a file (/etc/group), 
and
> > the superuser root can assign any group to a process.
> Wait a second.
> If "uids administration" is to be secure, then it must not "depends on an
> uncontrolled editing of a file", /etc/passwd and /etc/shadow in this case. 
If 
> RSBAC provides workarounds against modifying /etc/passwd (or any other user
> database), then the same tricks can be used to protect /etc/group, correct ?
> If it is not done yet, it is an effect of lack of time, I guess.

They could, but that is not sufficient.

> > Additionally, the ACL groups can be private or global, each user can have 
an
> > individual set of them and there is no limit on the number of groups a 
user
> > can be in at the same time.
> Sorry, I don't get it. How the above sentence relates to infeasibility of
> providing ACLs for Unix groups ?

In contrary, it is quite easy to do. My main point here was that ACL groups 
are much more powerful and flexible, and they allow for separation of duty by 
design, etc.

Linux groups have been treated as 'mostly out of scope' for RSBAC until now. 
This means that there is no way to control which groups a process may acquire 
and which ones not.

You see, the problem is that a process can select the set of active Linux 
groups, while ACL groups are completely mandatory.

Let's state it this way: If you'd like to see Linux groups as ACL subjects, I 
will add them as an option. Together with this, I will have to recheck 
whether all group changes for processes are properly controlled and add group 
change checks to AUTH module.

The easier way (for me at least) would be if you:
- Setup your Linux groups and rights as you desire
- Run linux2acl on your Samba dir tree to get them automatically converted to 
ACL groups and rights settings
- Apply the script produced by linux2acl
- (Optionally) turn off Linux control for the Samba dir tree with 
linux_dac_disable attribute on the dir

Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22


More information about the rsbac mailing list