lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <44D3CFB9.9020208@gmail.com>
Date:	Sat, 05 Aug 2006 00:52:41 +0200
From:	RazorBlu <razorblu@...il.com>
To:	linux-kernel@...r.kernel.org
Subject: Re: ACLs

Brian Beattie wrote:
> Having implemented ACLs twice on Unix and Unix-like systems, I don't see
> what the fetish some people have for them.  Frankly juts about anything
> you can do with ACLs (and anything you should want to do) you can do
> with users/groups and the standard Unix/Linux permissions.  Why add
> unneeded cruft to the kernel. 
Because instead of having an all-powerful account (which we so lovingly 
know as root), you can separate specific roles to different accounts. To 
use Windows' ACLs as an example:

- Adjust memory quotas for a process
- Allow/deny access to this computer from the network
- Backup files and directories
- Bypass traverse checking
- Change system time
- Increase scheduling priority
- Load and unload device drivers
- Manage auditing and security logs
- Restore files and directories
- Shutdown the system
- Take ownership of files or other objects

As you can see, those are finely-grained controls. Why would these be 
useful on Linux? Because you can have a root account which can bind 
Apache to a port <1024, and even if it is compromised it cannot 
"shutdown the system," or "deny access to this computer from the 
network," thus the attacker will be able to cause minimal damage. Yes, 
the same can be done on Linux using SELinux, AppArmor, or some other ACL 
system, but again - those aren't part of the kernel. They are extra 
apps, and adding layers is not always the best solution when it comes to 
security.
>  I know that some spooks think you have to
> have ACLs to have a trusted system, but these are the same people who
> think you need to violate my freedoms to protect them.
>   
Um.. Forgive me for a second, but are you suggesting that a Linux system 
running a service(s) under full root privileges (such as Apache) is just 
as secure as a Linux system running the same process but with 
compartmentalisation to make sure that each service has access to just 
the files and directories it needs, achieved (currently) via AppArmor, 
SELinux, or a similar ACL system? If you really do think that, you may 
want to read a few more papers and/or books. If Apache is bound to port 
80 as root and is not restricted (via ACLs) to just the directories, 
files, libraries and whatnot that it needs access to, and it is 
compromised, then the attacker has full control over your server. If you 
have ACLs in place, the attacker can only access the files that Apache 
has access to, thus protecting all other files on the server (and thus 
greatly decreasing the chances of the attacker implementing a 
hard-to-detect kernel rootkit, or some other malware).
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ