[rsbac] FF: Some questions

Amon Ott ao at rsbac.org
Mon Sep 20 09:46:27 CEST 2004 

On Montag, 20. September 2004 00:20, Nico Manicone wrote:
> 1.
>  >>2. I have troubles understanding the usage of "search_only" and
>  >>"no_mount". The meaning is obvious, but in which scenarios should
> 
>  > no_mount protects e.g. /etc from a mount, which would replace all
>  > config files with the attacker's files.
> 
> Is this a probable attack scenario? Why should an attacker not 
simply 
> change one or more config files with an editor?
> 
> How would i use "no_mount"? Simply use it on "/"? If i use the flag 
on 
> "/", will it be enough for the complete file system or must i use 
> inheriting for the deeper directory nodes?

If you set it at /, it will be inherited to all subdirs. However, this 
means that you cannot mount anywhere. I recommend setting it 
individually for those dir trees, which should never see any mounts 
in them. E.g. /etc, /usr (after the intended mount), /boot, /var, ...
 
> Due to the fact that RSBAC checks only inodes, i would assume that 
> inheriting is necessary.

It is, and it happens with the default settings. The main problem is 
that the legal moint points become invisible after the mount, so you 
will not be able to backup the ff_flags for them without 
add_inherited.
 
> 2.
> >>the results i found:
> 
> >>read_only	read, delete, execute possible		
> >>excute_only	only execute allowed
> >>search_only	read, delete, execute possible
> >>write_only	only write allowed
> 
> These results are from a Adamantix 1.04 system with a softmode 
kernel 
> and RSBAC 1.2.2.
> 
> > Certainly not, and I cannot reproduce it here. Can you provide 
more 
> > info? Do you get a syslog entry?
> 
> My problem is that i can't reproduce them either. :-( If i simply 
switch 
> the softmode off with "echo debug_softmode_0 
> > /proc/rsbac-info/debug",  
> i get the normal behaviour.

Good.
 
> The cited results occured after i tried several different ways to 
switch 
> the softmode off. First i used the entry "global softmode" in 
rsbac_manu 
> to turn softmode on or off, but to no avail. After that i toggled 
the 
> softmode on module basis, but this didn't help either. Finaly i used 
> "echo debug_softmode_0". And then i got these results.

The Adamantix 1.0.4 Softmode kernel does not support module switching 
and thus has the syscall interface used by the menu turned off. This 
means that your switching did not work. I have already corrected this 
in my local 1.2.4-pre tree.

In any case, a successful switch must be noted in the log. If there is 
no log entry, it probably has not been switched. You can always check 
the current state in /proc/rsbac-info/stats (or .../active with RSBAC 
v1.2.3).

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname   : nicht verf?gbar
Dateityp    : application/pgp-signature
Dateigr??e  : 189 bytes
Beschreibung: signature
URL         : http://www.rsbac.org/pipermail/rsbac/attachments/20040920/9093e1d6/attachment.bin

More information about the rsbac mailing list