[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: auid



On Friday 10 February 2006 05:13, Steve G <linux_4ever yahoo com> wrote:
> >so in the absence of SELinux (e.g. CAPP-only configuration), any uid 0
> > process can mutate its loginuid later to mask the original one,
>
> Or it can delete the audit logs or re-write syslog or install a rootkit
> covering everything up. The only defence against this kind of tampering is
> remote logging.
>
> >and in the presence of SELinux, any program authorized for audit_control
> > can mutate its loginuid later (so a smaller exposure, but still a
> > possibility).
>
> So...why doesn't policy restrict this even further so that the 10 apps that
> need to set this are the *only* ones that can do so?
>
> The list is: login, sshd, vsftpd, postfix, procmail, cron, at, gdm, kdm, &
> xdm.

Also every other mail server including Sendmail.

The Postfix code supports multiple deliveries initiated from the one local 
process and I wrote code to reset the auid for this.  This is one thing that 
I think is a bad idea, in fact I'll suggest to Wietse that Postfix be changed 
to only have one delivery per instance of the local process, fork() is cheap 
by any measure and particularly when compared to all the synchronous disk IO 
that occurs when a mail server is doing delivery.

Does procmail really need this?

As for Sendmail, one program which does EVERYTHING including the ability to 
reset auid.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]