[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: /sbin/restorecon and hard links



On Wed, 2006-02-15 at 14:19 +0100, Erik Sjölund wrote:
> [root e /]# cat /etc/redhat-release
> Fedora Core release 4 (Stentz)
> [root e /]# adduser erik
> [root e /]# su - erik
> [erik e ~]$ ln /etc/passwd .
> [erik e ~]$ exit
> [root e /]#  ls -lZ /etc/passwd
> -rw-r--r--  root     root   system_u:object_r:etc_t          /etc/passwd
> [root e /]# restorecon -R /home
> [root e /]# ls -lZ /etc/passwd
> -rw-r--r--  root     root   user_u:object_r:user_home_t      /etc/passwd
> 
> Should it be like that?
> 
> /sbin/restorecon -R /home
> 
> might lead to strange security contexts for files belonging to root.

Yes, running restorecon on /home by root considered harmful,
particularly under targeted policy.  Under strict policy, a user can't
create hard links to system files (controlled by the 'link' permission),
which helps avoid the problem, and restorecon and setfiles aren't
allowed to follow untrustworthy symlinks by the policy.  setfiles also
contains code to check for multiple hard links with conflicting matches,
so if you run setfiles on /, it should complain about the discrepancy,
but restorecon doesn't do that and even if it did it naturally can't
tell that when it is just run on /home.

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]