[rsbac] DAZ & cache

Andrea Pasquinucci cesare at ucci.it
Thu Sep 29 10:54:27 CEST 2005 

No, sorry twice, I missed the fix in the 1.2.5-pre and I am still on 
1.2.4 (no time yet to upgrade and still wondering about PaX and 2.6.13)

Andrea

On Thu, Sep 29, 2005 at 10:25:58AM +0200, Amon Ott wrote:
* On Donnerstag 29 September 2005 09:41, Andrea Pasquinucci wrote:
* > I am using DAZ and I notice something that I do not like too much, 
* even 
* > if I do not know what it could be done about it.
* > 
* > I have done the following tests having created a directory which is 
* not 
* > scanned by clamd ("ClamukoExcludePath /somedir/NOCHECK/")
* > 
* > TEST 1
* > - try to access a virus in /somedir/CHECK/ => access denied = OK
* > - mv /somedir/CHECK/virus /somedir/NOCHECK/   => success = OK
* > - less /somedir/NOCHECK/virus  => success = OK
* > - mv /somedir/NOCHECK/virus /somedir/CHECK/ => success = OK
* > - less /somedir/NOCHECK/virus => success ???? NOT OK!!
* 
* This should not work, it must be a bug. Is it with 1.2.5? There was a 
* fix for the cache in the pre series.
*  
* > well I do understand that the cache has tricked me. In accessing the 
* > file in the NOCHECK directory, the inode has been marked as CLEAN, 
* then 
* > I moved the file in the same partition, the inode has not changed, 
* so it 
* > is still marked as CLEAN. Well my point here is that when DAZ checks 
* the 
* > file in /somedir/NOCHECK/, clamd should answer "NO CHECK" or 
* something 
* > similar, now what should be put in cache? My understanding is that 
* it is 
* > put CLEAN, but why not put "UNKNOWN" in cache? I guess the answer is 
* > that in this case every time a file is accessed in the NOCHECK dir 
* there 
* > will be nothing in the cache and clamd should be called, with a lot 
* of 
* > extra work of course, but much less security. If I am correct, I 
* would 
* > propose to introduce a switch at some level (kernel config or admin 
* > utils) to let a user decide what should be put in cache if clamd 
* answers 
* > "not checking in this dir"
* 
* This is an example of why name based access control is bad. :/
* 
* My suggestion: We also clean the cache entry, if a file gets renamed. 
* Please try the attached patches for 2.6 and 2.4 kernels with RSBAC 
* 1.2.5.
*  
* > TEST 2
* > same as test 1 but instead of  "mv /somedir/NOCHECK/virus 
* > /somedir/CHECK/", I do "cp /somedir/NOCHECK/virus /somedir/CHECK/". 
* Also 
* > the results are the same, but now the inode are different!!! Why? I 
* > guess that in creating the new file, the DAZ cache of the parent is 
* > copied to it, but this I do not understand really ????????????
* 
* > TEST 3 same as test 2 but I move or copy the file to a different 
* > partition, nothing changes, still access!!!!
* 
* The clean marking for new files in some cases was supposed to be fixed 
* in 1.2.5. Are you on 1.2.5 already?
* 
* Amon.
* -- 
* http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22



* _______________________________________________
* rsbac mailing list
* rsbac at rsbac.org
* http://www.rsbac.org/mailman/listinfo/rsbac

-- 
--
Andrea Pasquinucci                     cesare at ucci.it
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint = 569B 37F6 45A4 1A17 E06F  CCBB CB51 2983 6494 0DA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://rsbac.dyndns.org/pipermail/rsbac/attachments/20050929/af383f71/attachment.bin

More information about the rsbac mailing list