| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 05 Aug 2006 00:52:41 +0200 From: RazorBlu <razorblu@...il.com> To: linux-kernel@...r.kernel.org Subject: Re: ACLs Brian Beattie wrote: > Having implemented ACLs twice on Unix and Unix-like systems, I don't see > what the fetish some people have for them. Frankly juts about anything > you can do with ACLs (and anything you should want to do) you can do > with users/groups and the standard Unix/Linux permissions. Why add > unneeded cruft to the kernel. Because instead of having an all-powerful account (which we so lovingly know as root), you can separate specific roles to different accounts. To use Windows' ACLs as an example: - Adjust memory quotas for a process - Allow/deny access to this computer from the network - Backup files and directories - Bypass traverse checking - Change system time - Increase scheduling priority - Load and unload device drivers - Manage auditing and security logs - Restore files and directories - Shutdown the system - Take ownership of files or other objects As you can see, those are finely-grained controls. Why would these be useful on Linux? Because you can have a root account which can bind Apache to a port <1024, and even if it is compromised it cannot "shutdown the system," or "deny access to this computer from the network," thus the attacker will be able to cause minimal damage. Yes, the same can be done on Linux using SELinux, AppArmor, or some other ACL system, but again - those aren't part of the kernel. They are extra apps, and adding layers is not always the best solution when it comes to security. > I know that some spooks think you have to > have ACLs to have a trusted system, but these are the same people who > think you need to violate my freedoms to protect them. > Um.. Forgive me for a second, but are you suggesting that a Linux system running a service(s) under full root privileges (such as Apache) is just as secure as a Linux system running the same process but with compartmentalisation to make sure that each service has access to just the files and directories it needs, achieved (currently) via AppArmor, SELinux, or a similar ACL system? If you really do think that, you may want to read a few more papers and/or books. If Apache is bound to port 80 as root and is not restricted (via ACLs) to just the directories, files, libraries and whatnot that it needs access to, and it is compromised, then the attacker has full control over your server. If you have ACLs in place, the attacker can only access the files that Apache has access to, thus protecting all other files on the server (and thus greatly decreasing the chances of the attacker implementing a hard-to-detect kernel rootkit, or some other malware). - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists