[rsbac] To-Do List for 1.2.3

Samuli Kärkkäinen skarkkai at woods.iki.fi
Thu Sep 25 19:40:48 MEST 2003 

On Thu, Sep 25, 2003 at 12:48:26PM +0200, Amon Ott wrote:
> Hi folks,
> 
> this is my current to-do list for 1.2.3. Please add your wishes now. 

* Show executing process' RC role in the log output. I keep missing this
  when trying to figure out why things are working the way they are. As the
  log output has a lot of fields already, maybe it should be configurable.

* With "request CREATE" operations, the log output apparently doesn't show
  which directory is being created, but instead what directory it is being
  created _in_. It would be more informative if it reported the former.

* Have it possible to set JAIL for executables in the menus the same way RC
  types are assigned. It'd be nicer if all RSBAC related things were done
  through menus, instead of having to hack rsbac_jail commands into startup
  scripts of things. Hacking the startup scripts is a sure way to cause
  nasty surprises when one updates the distribution and half a year later
  realizes the JAILs haven't been in effect ever since the upgrade.

* For the exclude option for the backup scripts, maybe make it a shell style
  glob against canonicalized path name. This would allow things like
  --exclude /home/*/Maildir/* (which, on purpose, would also be different
  from home/*/Maildir that would exclude also the directory entry in
  addition to the directory contents). Or why not a regexp once you're at
  it.

* Why is the rsbac_jail utility root only? It only reduces permissions,
  doesn't add them, so I don't immediately see how non-root can endanger the
  system by using it.

UI stuff:

* In the help output when you run rc_role_wrap without arguments replace
  s/new_role/new_role_number/. It confused me at first why things appear to
  not be working as I tried to enter the role name instead of the number,
  since the utility didn't even give any error message of non-existing role.

* When you run rsbac_rc_role_menu the title is "Startup: Choose initial
  role". I remember at first finding this confusing, as I wondered if it
  asks me choose default role for processes or something. A better title
  could be "Choose a role to edit".

  Also, in that menu if you press the Cancel button you get into the RC Role
  main menu with nothing selected.  This is a UI state which makes no sense
  and hence would be better off not existing. Similar situations where a
  menu is in state where nothing is selected probably exist elsewhere.

* In the FD menu, it seems that when one is in the "Attribute Get Mode:
  effective" state and changes fe. RC Type FD, the UI behaves as if the
  change takes effect, but it doesn't. Probably changing the values should
  be prohibited altogether in that state.

* If you remove an RC type, then in the FD menu, you can't assign another
  type for a file that has the type that was just removed.

Some long term things:

* Overlapping file sets in RC types. Okay, this is something that has been
  asked before, and there are many ways to implement what I want, and all of
  them are controversial. My goal is still the same as in my first email a
  few weeks ago: I have defined a bunch of types for files and a bunch of
  roles. Now I add a new role, which typically wants access to a few more
  files than some of the existing roles. It'd be nice to just define a new
  type for those files and give the new role suitable access to that type,
  without having to worry about what permissions to give to that type for
  the other roles.

  Of course, if a file could have multiple types, one should come up with the
  logic for what happens if one type doesn't allow access and another does
  allow. For my purposes it would be useful, if the default is that no
  access is allowed, and access is allowed if any type allows access.

  Another, and almost certainly better way to implement what I want would be
  to create concept of "file sets", and assign ACL entries for the file sets
  of instead of individual files. I haven't thought of this deeply, but it
  would seem to me that this wouldn't require big changes to the ACL module
  logic. This would be somewhat redundant when you have the RC type concept
  already, although it wouldn't make sense to assign for example RC
  force/initial roles or the symlink settings for file groups. I haven't
  looked at this, but I imagine many other modules could be willing to refer
  to the file sets instead of individual files, too.

  Yet another way would be to combine RC and ACL modedules with "or" instead
  of "and", that is, access would be allowed if either of the modules allows
  access.  Of course it wouldn't make much sense to extend this logic to say
  the JAIL module, so this seems like a pretty bad idea, but it sure would
  be a simple way to greatly add the power of the RSBAC framework if it
  could be done cleanly.

* Paths versus inodes. There are situations where having things based on
  purely inodes just doesn't cut it. One of them is encountered when I try
  to limit permissions of fetchmail as much as possible. Fetchmail creates a
  file ~/.fetchmail.pid and other than that, only alters the mailbox. 
  Because ~/.fetchmail.pid gets a different inode every time, I can't use
  RSBAC to allow fetchmail to create only that file, I must allow fetchmail
  to create any file in ~. Another case is ~/.Xauthority that gets different
  inode every time.

  The only solution I can think of is to maintain a list of path names and
  match against them on every access. How the UI would handle that, I have
  no idea.

  In fact, I'm not sure why RSBAC isn't entirely path based instead of inode
  based. I believe there are good reasons for that? And even if it's
  necessary operate on inodes on the lowest level, storing the settings on
  path basis on UI level (and I include command line utilities in the UI
  here) would make backup and restore vastly easier and more robust than
  currently, which I personally consider a major problem at the moment.

* Related to above: if I add create permission to ~, all subdirs inherit
  that. Home directories tend to have a huge and volatile number of
  subdirectories, so it's not feasible to try and enforce permission
  inheritance of them all.  What I want in this case, is to say "skip ~ in
  permission inheritance" or "replace ~'s permissions with the defaults in
  inheritance" or something like that. AFAICT, this is not possible?

Finally a couple of questions:

* What is the idea of the Auditor role?

* I'd like to do something like "rc_role_wrap 7 su -l someuser". Now this
  doesn't work since apparently the root user to which su changes gets the
  role 7 and the someuser ends up getting whatever but not role 7. How
  should one do this?

Lastly, despite all the problems mentioned above, I think RSBAC is by far
the best security addition to Linux I've come across, and I believe I've
seen vast majority of them. Wonderful work, Amon.

-- 
  Samuli Kärkkäinen                   |\      _,,,---,,_
 skarkkai at woods.iki.fi ---------ZZZzz /,`.-'`'    -.  ;-;;,_------
http://www.woods.iki.fi              |,4-  ) )-,_. ,\ (  `'-'
                                     '---''(_/--'  `-'\_)

More information about the rsbac mailing list