[rsbac] Security bugfix for RSBAC for kernels 2.6.35 and later
Amon Ott
ao at rsbac.org
Wed Nov 30 16:33:51 CET 2011
On Wednesday 30 November 2011 wrote Javier Juan Martínez Cabezón:
> Amon, in which case would this be a security problem?
>
> AFAIK, READ_OPEN calls are uneeded because they always require de READ one
> to access de contents of the file.
>
> So I have never found a case in which READ_OPEN should be granted and READ
> not.
>
> To me READ_OPEN is only userful to restrict scripts interpretation and
> nothing more.
READ is required to read the content of a dir, so it is quite often allowed on
whole trees or RC types. If READ_OPEN is not denied, then you can read
content of files, although you should only have access to the dir listing.
Additionally, intercepting READ and WRITE on files is optional, you can turn
it off in RSBAC kernel config. The reason is that you need to open it
first...
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list