[rsbac] FF: Some questions
Nico Manicone
nico.manicone at gmx.de
Mon Sep 20 00:20:55 CEST 2004
Hello and thank you for your answer,
1.
>>2. I have troubles understanding the usage of "search_only" and
>>"no_mount". The meaning is obvious, but in which scenarios should
> no_mount protects e.g. /etc from a mount, which would replace all
> config files with the attacker's files.
Is this a probable attack scenario? Why should an attacker not simply
change one or more config files with an editor?
How would i use "no_mount"? Simply use it on "/"? If i use the flag on
"/", will it be enough for the complete file system or must i use
inheriting for the deeper directory nodes?
Due to the fact that RSBAC checks only inodes, i would assume that
inheriting is necessary.
2.
>>the results i found:
>>read_only read, delete, execute possible
>>excute_only only execute allowed
>>search_only read, delete, execute possible
>>write_only only write allowed
These results are from a Adamantix 1.04 system with a softmode kernel
and RSBAC 1.2.2.
> Certainly not, and I cannot reproduce it here. Can you provide more
> info? Do you get a syslog entry?
My problem is that i can't reproduce them either. :-( If i simply switch
the softmode off with "echo debug_softmode_0 > /proc/rsbac-info/debug",
i get the normal behaviour.
The cited results occured after i tried several different ways to switch
the softmode off. First i used the entry "global softmode" in rsbac_manu
to turn softmode on or off, but to no avail. After that i toggled the
softmode on module basis, but this didn't help either. Finaly i used
"echo debug_softmode_0". And then i got these results.
Regards,
Nico.
More information about the rsbac
mailing list