[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [redhat-lspp] Getting rid of multilevel objects

From: Casey Schaufler <casey schaufler-ca com>
To: Klaus Weidner <klaus atsec com>
Cc: Joe Nall <joe nall com>, lspp-list <redhat-lspp redhat com>, Chad Hanson <chanson TrustedCS com>, "Knoke, Jim \(US SSA\)" <jim knoke baesystems com>
Subject: Re: [redhat-lspp] Getting rid of multilevel objects
Date: Fri, 7 Jul 2006 12:48:40 -0700 (PDT)


--- Klaus Weidner <klaus atsec com> wrote:

> PTY devices are currently a problem. It's simple for
> a user cleared for a
> range of labels to create a program that
> declassifies information without
> needing any special privileges. For example:
> 
> - running at the low level, create a pty
> master/slave pair.
> 
> - on the slave end, spawn newrole to switch to a
> high level, send your
>   password through the pty.

The newrole analog on one Unix MLS system,
"su -M <maclabel>" closes all open descriptors
to prevent such a problem.

The problem here is not with the pty, rather
with newrole, which oughtn't keep descriptors
open if it is changing MLS label.

> - on the slave end, execute "cat secret_file".
> 
> - as unprivileged process, read the secret data from
> the pty master end
>   and write it to a low file.



Casey Schaufler
casey schaufler-ca com

Follow-Ups:
- Re: [redhat-lspp] Getting rid of multilevel objects
  - From: Klaus Weidner

References:
- Re: [redhat-lspp] Getting rid of multilevel objects
  - From: Klaus Weidner

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]