Re: Some options I would like to see on AIX

[Pádraig Brady]

On 05/06/15 18:53, Ray Dillinger wrote:
> 
> 
> On 06/05/2015 08:59 AM, Eric Blake wrote:
>> On 06/05/2015 08:44 AM, Michael Felt wrote:
> 
>> xattrs can include more than ACLs; and meanwhile, while ACLs are often
>> implemented by xattrs they can also be implemented in other means.
>> Which is why libvirt shows '.' for the presence of xattrs that don't
>> affect ACL.
>>
>> On a Linux system, look at the output of 'getfacl' on a directory and
>> file, where the directory shows with '+' but the file does not, to
>> compare the two different ACL settings.
> 
> My problem with ACL settings is that they are still user-based,
> and our biggest security problem these days is not with root
> trusting users, it's with users trusting software.  We need
> user-based permissions, certainly, to allow root to stop
> malicious hackers from compromising the system, but now we
> also need software-based permissions, to allow users to stop
> buggy or malicious but unsuspected programs from using their
> own privileges to compromise their own assets.
> 
> This follows directly from the fact that users - not just
> root, but people who have ordinary user accounts - are now
> running programs which they are not themselves competent
> to examine or bugfix or even evaluate as security risks,
> while simultaneously trying to protect assets which are
> terrifyingly valuable (bitcoin wallets, customer credit
> card databases, etc) or damaging if compromised, but which
> have nothing to do with the system security that classical
> permissions (and ACLs) are designed to protect.
> 
> The users need to be able to manage the delegation to programs
> of their own privileges over files and network access. So a
> user ought to be able to enter a 'chmod-like' command to say
> that their rights to read and write their customer database
> may be extended to absolutely no program other than their
> accounting software, and then not worry about insecure
> downloaded software or buggy browsers exploited by malicious
> mobile code, etc, gaining their own privileges and using them
> to steal that file.  Or, just as important, that their network
> access privilege may not be delegated to programs other than
> those which access the network for known purposes that the
> user approves of, nor may those programs delegate these
> permissions to any others.
> 
> Is there any way on a linux system to give particular programs
> different permissions other than having them pretend to be a
> different user or setting up a dedicated VM for every damned
> application?  I sort of don't want thousands of fake users
> (or tens of thousands of VMs) on my system; it's abuse of
> mechanisms intended for something else, and can't reasonably
> be managed by the users themselves whose assets we need them
> to have a way to protect.
> 
>                               Bear

Seems like you're describing Mandatory Access Control
(compared to the traditional Discretionary Access Control).

The kernel will first do DAC checks (file permissions + ACLs),
then MAC checks (implemented by various LSMs in the Linux kernel).

SELinux is one of the most well known MAC implementations on Linux.

cheers,
Pádraig.