Amon Ott has released a security bugfix for RSBAC 1.2.3. The problem was discovered regarding to the RSBAC JAIL implementation. Please read the attached original release note if interested. The bugfix is available for download at http://www.rsbac.org/download/bugfixes/ For beginners, RSBAC is: -Free Open Source (GPL) Linux kernel security extension -Independent of governments and big companies -Implements several well-known and new security models, e.g. MAC, ACL and RC -Control over individual user and program network accesses -Any combination of models possible -Easily extensible: write your own model for runtime registration -Support for current kernels -Stable for production use ---------------------- >From ao<at@>rsbac.org Wed Jun 30 16:34:51 2004 Date: Wed, 30 Jun 2004 14:03:29 +0200 From: Amon Ott <ao<at@>rsbac.org> Reply-To: RSBAC Discussion and Announcements <rsbac@xxxxxxxxx> To: RSBAC Discussion and Announcements <rsbac@xxxxxxxxx> Subject: [rsbac] Bugfix 1.2.3-3 / JAIL Hi everyone, here comes another bugfix. Thanks to Brad for providing details. Because of this and other security relevant bugfixes contained in the v1.2.3 release, all people using JAIL module are requested to update ASAP to RSBAC v1.2.3 with this bugfix applied. Pre-patched kernel updates will soon follow. One important note: When upgrading from previous versions to v1.2.3, you must change your calls to rsbac_jail, because the syntax has changed. I also recommend to restrict the Linux capabilites available to your jailed services with the new JAIL cap restriction feature. 3. JAIL: suid/sgid files can be created inside jail * Urgency: Medium. * What you see: Programs can create suid and sgid files with sys_creat, sys_open and sys_mknod inside jails. * What is wrong: In the JAIL module CREATE check, the corresponding mode values are not checked. * Implications: Possible indirect privilege escalation inside the jail. * Credits: Thanks to Brad Sprengler for reporting this bug. * RSBAC versions affected: 1.2.2-1.2.3. * What you should do: Apply this patch (MD5 / GnuPG Cert) to get the bug corrected, recompile the kernel, reinstall and reboot. Amon. -- http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22 _______________________________________________ rsbac mailing list rsbac<at.rsbac.org http://www.rsbac.org/mailman/listinfo/rsbac
