[rsbac] FF: Some questions
Amon Ott
ao at rsbac.org
Mon Sep 20 09:46:27 CEST 2004
On Montag, 20. September 2004 00:20, Nico Manicone wrote:
> 1.
> >>2. I have troubles understanding the usage of "search_only" and
> >>"no_mount". The meaning is obvious, but in which scenarios should
>
> > no_mount protects e.g. /etc from a mount, which would replace all
> > config files with the attacker's files.
>
> Is this a probable attack scenario? Why should an attacker not
simply
> change one or more config files with an editor?
>
> How would i use "no_mount"? Simply use it on "/"? If i use the flag
on
> "/", will it be enough for the complete file system or must i use
> inheriting for the deeper directory nodes?
If you set it at /, it will be inherited to all subdirs. However, this
means that you cannot mount anywhere. I recommend setting it
individually for those dir trees, which should never see any mounts
in them. E.g. /etc, /usr (after the intended mount), /boot, /var, ...
> Due to the fact that RSBAC checks only inodes, i would assume that
> inheriting is necessary.
It is, and it happens with the default settings. The main problem is
that the legal moint points become invisible after the mount, so you
will not be able to backup the ff_flags for them without
add_inherited.
> 2.
> >>the results i found:
>
> >>read_only read, delete, execute possible
> >>excute_only only execute allowed
> >>search_only read, delete, execute possible
> >>write_only only write allowed
>
> These results are from a Adamantix 1.04 system with a softmode
kernel
> and RSBAC 1.2.2.
>
> > Certainly not, and I cannot reproduce it here. Can you provide
more
> > info? Do you get a syslog entry?
>
> My problem is that i can't reproduce them either. :-( If i simply
switch
> the softmode off with "echo debug_softmode_0
> > /proc/rsbac-info/debug",
> i get the normal behaviour.
Good.
> The cited results occured after i tried several different ways to
switch
> the softmode off. First i used the entry "global softmode" in
rsbac_manu
> to turn softmode on or off, but to no avail. After that i toggled
the
> softmode on module basis, but this didn't help either. Finaly i used
> "echo debug_softmode_0". And then i got these results.
The Adamantix 1.0.4 Softmode kernel does not support module switching
and thus has the syscall interface used by the menu turned off. This
means that your switching did not work. I have already corrected this
in my local 1.2.4-pre tree.
In any case, a successful switch must be noted in the log. If there is
no log entry, it probably has not been switched. You can always check
the current state in /proc/rsbac-info/stats (or .../active with RSBAC
v1.2.3).
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname : nicht verf?gbar
Dateityp : application/pgp-signature
Dateigr??e : 189 bytes
Beschreibung: signature
URL : http://www.rsbac.org/pipermail/rsbac/attachments/20040920/9093e1d6/attachment.bin
More information about the rsbac
mailing list