[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <44D3CFB9.9020208@gmail.com>
Date: Sat, 05 Aug 2006 00:52:41 +0200
From: RazorBlu <razorblu@...il.com>
To: linux-kernel@...r.kernel.org
Subject: Re: ACLs
Brian Beattie wrote:
> Having implemented ACLs twice on Unix and Unix-like systems, I don't see
> what the fetish some people have for them. Frankly juts about anything
> you can do with ACLs (and anything you should want to do) you can do
> with users/groups and the standard Unix/Linux permissions. Why add
> unneeded cruft to the kernel.
Because instead of having an all-powerful account (which we so lovingly
know as root), you can separate specific roles to different accounts. To
use Windows' ACLs as an example:
- Adjust memory quotas for a process
- Allow/deny access to this computer from the network
- Backup files and directories
- Bypass traverse checking
- Change system time
- Increase scheduling priority
- Load and unload device drivers
- Manage auditing and security logs
- Restore files and directories
- Shutdown the system
- Take ownership of files or other objects
As you can see, those are finely-grained controls. Why would these be
useful on Linux? Because you can have a root account which can bind
Apache to a port <1024, and even if it is compromised it cannot
"shutdown the system," or "deny access to this computer from the
network," thus the attacker will be able to cause minimal damage. Yes,
the same can be done on Linux using SELinux, AppArmor, or some other ACL
system, but again - those aren't part of the kernel. They are extra
apps, and adding layers is not always the best solution when it comes to
security.
> I know that some spooks think you have to
> have ACLs to have a trusted system, but these are the same people who
> think you need to violate my freedoms to protect them.
>
Um.. Forgive me for a second, but are you suggesting that a Linux system
running a service(s) under full root privileges (such as Apache) is just
as secure as a Linux system running the same process but with
compartmentalisation to make sure that each service has access to just
the files and directories it needs, achieved (currently) via AppArmor,
SELinux, or a similar ACL system? If you really do think that, you may
want to read a few more papers and/or books. If Apache is bound to port
80 as root and is not restricted (via ACLs) to just the directories,
files, libraries and whatnot that it needs access to, and it is
compromised, then the attacker has full control over your server. If you
have ACLs in place, the attacker can only access the files that Apache
has access to, thus protecting all other files on the server (and thus
greatly decreasing the chances of the attacker implementing a
hard-to-detect kernel rootkit, or some other malware).
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists