On Friday 10 February 2006 05:13, Steve G <linux_4ever@xxxxxxxxx> wrote: > >so in the absence of SELinux (e.g. CAPP-only configuration), any uid 0 > > process can mutate its loginuid later to mask the original one, > > Or it can delete the audit logs or re-write syslog or install a rootkit > covering everything up. The only defence against this kind of tampering is > remote logging. > > >and in the presence of SELinux, any program authorized for audit_control > > can mutate its loginuid later (so a smaller exposure, but still a > > possibility). > > So...why doesn't policy restrict this even further so that the 10 apps that > need to set this are the *only* ones that can do so? > > The list is: login, sshd, vsftpd, postfix, procmail, cron, at, gdm, kdm, & > xdm. Also every other mail server including Sendmail. The Postfix code supports multiple deliveries initiated from the one local process and I wrote code to reset the auid for this. This is one thing that I think is a bad idea, in fact I'll suggest to Wietse that Postfix be changed to only have one delivery per instance of the local process, fork() is cheap by any measure and particularly when compared to all the synchronous disk IO that occurs when a mail server is doing delivery. Does procmail really need this? As for Sendmail, one program which does EVERYTHING including the ability to reset auid. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
