Re: More PATH fallout. Who decided this was a good idea?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2008-12-06 at 07:45 -0500, Steve Grubb wrote:
> On Saturday 06 December 2008 00:55:24 Jesse Keating wrote:
> >  These are required to be this way for our Common Criteria evaluations.
> >
> > Is the thought here that if the code can be executed by a non-root user,
> > the audit of the code would have to be far more strict?
> 
> No, it has more to do with the fact that we have to audit all attempts to 
> modify trusted databases - in this case, shadow. No one can use these tools 
> since they do not have the permissions required to be successful. So, we 
> remove the ability to use these tools so that we don't have to audit it. 

So "cat >> /etc/shadow" is audited?

> IOW, if we open the permissions, we need to make these become setuid root so 
> that we send audit events saying they failed.
> 
> 
> > I'm just curious what added security you really get.
> 
> Its not so much a security thing as much as its a certification thing. An 
> ordinary user cannot possibly use these tools since they do not have the 
> requisite permissions.

Yet "vi /etc/shadow" is okay? Is that audited? Its sounding like the
certification board's idea of "attempting to modify trusted databases"
is far detached from reality.

Unix security happens at the syscall layer and given the focus on the
filesystem, at the filesystem layer. If you're not auditing *every*
attempt to open() /etc/shadow at the syscall layer it sounds to me like
you are doing it wrong.

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux