coreutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Some options I would like to see on AIX


From: Ray Dillinger
Subject: Re: Some options I would like to see on AIX
Date: Fri, 05 Jun 2015 10:53:09 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.7.0


On 06/05/2015 08:59 AM, Eric Blake wrote:
> On 06/05/2015 08:44 AM, Michael Felt wrote:

> xattrs can include more than ACLs; and meanwhile, while ACLs are often
> implemented by xattrs they can also be implemented in other means.
> Which is why libvirt shows '.' for the presence of xattrs that don't
> affect ACL.
> 
> On a Linux system, look at the output of 'getfacl' on a directory and
> file, where the directory shows with '+' but the file does not, to
> compare the two different ACL settings.

My problem with ACL settings is that they are still user-based,
and our biggest security problem these days is not with root
trusting users, it's with users trusting software.  We need
user-based permissions, certainly, to allow root to stop
malicious hackers from compromising the system, but now we
also need software-based permissions, to allow users to stop
buggy or malicious but unsuspected programs from using their
own privileges to compromise their own assets.

This follows directly from the fact that users - not just
root, but people who have ordinary user accounts - are now
running programs which they are not themselves competent
to examine or bugfix or even evaluate as security risks,
while simultaneously trying to protect assets which are
terrifyingly valuable (bitcoin wallets, customer credit
card databases, etc) or damaging if compromised, but which
have nothing to do with the system security that classical
permissions (and ACLs) are designed to protect.

The users need to be able to manage the delegation to programs
of their own privileges over files and network access. So a
user ought to be able to enter a 'chmod-like' command to say
that their rights to read and write their customer database
may be extended to absolutely no program other than their
accounting software, and then not worry about insecure
downloaded software or buggy browsers exploited by malicious
mobile code, etc, gaining their own privileges and using them
to steal that file.  Or, just as important, that their network
access privilege may not be delegated to programs other than
those which access the network for known purposes that the
user approves of, nor may those programs delegate these
permissions to any others.

Is there any way on a linux system to give particular programs
different permissions other than having them pretend to be a
different user or setting up a dedicated VM for every damned
application?  I sort of don't want thousands of fake users
(or tens of thousands of VMs) on my system; it's abuse of
mechanisms intended for something else, and can't reasonably
be managed by the users themselves whose assets we need them
to have a way to protect.

                                Bear

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]