[rsbac] Binaries losing RSBAC privileges after being updated

Peter Busser peter at trusteddebian.org
Mon Jun 30 12:37:42 MEST 2003


Hi!

> I reckon the privileges I give to binaries are bound not only to their
> names, but also to at least the inode where they reside.

As far as I know, all RSBAC attributes relating to files are based on i-node
number.

> So the privilege does no
> longer apply after a new version is installed, and the corresponding entry
> becomes orphaned in RSBAC control files. Is there any way to stop this
> behaviour, or could RSBAC at least log a warning in the syslog that an
> RSBAC-privileged (e.g. "AUTH May Setuid") binary has been updated and therefore lost its
> special powers? Otherwise I'm in for a nightmare every time I apply a large
> batch of security patches.

You could make a backup of the RSBAC settings before you do the updates. And
then restore it. Or create scripts which set the correct settings after a
package has been updated. The menu system can log all changes you make as shell
commands to a file. This log can be used as a script for the next time.

Groetjes,
Peter Busser
-- 
Adamantix: Taking trustworthy software out of the labs, and into the real world
http://www.adamantix.org/


More information about the rsbac mailing list