lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 22 Jan 2010 17:15:05 +0800
From:	zhou peng <ailvpeng25@...il.com>
To:	Christoph Hellwig <hch@...radead.org>
Cc:	Casey Schaufler <casey@...aufler-ca.com>, sds@...ho.nsa.gov,
	jra@...ba.org, linux-security-module@...r.kernel.org,
	linux-next@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>,
	linux-fsdevel@...r.kernel.org
Subject: Re: About ACL for IPC Object

Thank you all for so many solutions.

I want to control some IPC object (shm, msg queue, semphore) can be
accessed by which named user or named group just like file objects ACL
do.

I studied the solution you all referred, The SELinux is powerful but
may be somewhat complicated. And I am confused with Christoph
Hellwig‘s solution using tmpfs.

2010/1/21 Christoph Hellwig <hch@...radead.org>:
> On Wed, Jan 20, 2010 at 07:02:27PM -0800, Casey Schaufler wrote:
>> zhou peng wrote:
>> > Hi all,
>> >
>> > There are ACL in file system, but why there are no ACL implementation
>> > in IPC object, eg. shm, message queue, FIFO?
>> >
>>
>> Most people haven't noticed that IPC objects are even there, much less
>> that they have mode bits and not ACLs. Even when we were doing security
>> evaluations on Unix boxes in the 1990's they were considered insufficiently
>> interesting to justify the additional work to do ACLs.
>>
>> If you really want ACLs on IPC objects it would make a dandy little
>> project for a summer. I would be happy to review patches.

Thanks. It's interesting to add ACL over IPC objects. I want to have a try.

>
> Or use the posix IPC mechanisms.  The Posix shared memory has ACL by
> using tmpfs as the backing store, and we could add similar support to
> Posix messages queues as they are also backed by a normal filesystem.

Christoph Hellwig, This way may be convinent. Could you give some
detailed message. :)
I only find /proc/ipc/shm file which contain the info of shm objs,and
tmpfs on /dev/shm which is empty.

>
> Adding this support to the old SYSV IPC mechanisms would be much harder
> as they do not fit into the file backed model we use everywhere else at
> all.

Just like file objects, the mode bits are implment over IPC objects
without file backed, so I think adding ACL support to IPC objects may
be somewhat reasonable :)

>
>



-- 
zhoupeng
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ