[rsbac] To-Do List for 1.2.3

Sun Sep 28 21:17:43 MEST 2003

On Sun, Sep 28, 2003 at 06:53:17PM +0200, Peter Busser wrote:
> > > - Are access rights supposed to change when the file gets renamed (or a new 
> > > name created and the old deleted)?
> > Right now I see the problems caused by software upgrades important, and from
> > that point of view, it's best if permissions depend on path, not inode.
> > Other than that aspect, again neither path nor inode based approach seems
> > clearly superior.
> 
> Well, you don't have to solve every little problem in the kernel code. If you
> want to set permissions based on a path, then you can write a utility that will
> do that for you.
> 
> I did that for instance with the RSBAC policy support tool, which is part of
> Adamantix unstable.

This is indeed one way to solve this issue. However if rsbac really were
path based it would also solve the "~/.Xauthority problem" and remove the
necessity of "restoring" all permissions after any rpm/deb update. It just
seems to me the path based approach would be cleaner, but it's also possible
the better solution is to have good user space utilities.

If rsbac becoming internally path based allowed simpler user space utilities
but wouldn't make rsbac more complex (other than probably neglible
performance cost), that wouldn't seem like such a bad ide to me.

I can certainly see that change being a lot of work though, so it may just
not be worth it. But I'm presenting ideas and letting Amon and maybe others
familiar with internals of rsbac consider their feasibility.

> > But I don't want to give X programs any rights to any subdirs of ~. Hence, I
> > don't want subdirs of ~ to inherit its rights.
> 
> You mean that if you start a web-browser, you cannot even save files to your
> home directory? Or you cannot access the home directory when you start a
> virtual shell?

Well, web browser is a particularly thorny case, as it uses unending amount
of complex plugins, and yes, it's also nice to be able to browse filesystem
with it. But at least a browser doesn't need to write to very many places,
mainly only to the one directory where I like to save stuff I DL. Also it
doesn't need setuid rights, nor the right to listen to the network. Of
course if you consider a web browser from Adamantix point of view, it's
probably futile to try to limit what it is allowed to do.

But there are many other X programs that don't need much permissions, like
indeed X-Chat, or pan the newsreader. X-Chat has had remote exploits in
past.

> > Now I agree that the "skip inheritance" flag would make the system much more
> > complex. That's bad. At the same time, in absence of path based permission
> > system, I can't come up with any feasible solution for the ~/.Xauthority
> > problem.
> 
> You can simply skip the inheritance by setting the attribute to the value you
> want.

I don't understand. Care to elaborate?

-- 
  Samuli Kärkkäinen                   |\      _,,,---,,_
 skarkkai at woods.iki.fi ---------ZZZzz /,`.-'`'    -.  ;-;;,_------
http://www.woods.iki.fi              |,4-  ) )-,_. ,\ (  `'-'
                                     '---''(_/--'  `-'\_)