On 05/06/15 18:53, Ray Dillinger wrote: > > > On 06/05/2015 08:59 AM, Eric Blake wrote: >> On 06/05/2015 08:44 AM, Michael Felt wrote: > >> xattrs can include more than ACLs; and meanwhile, while ACLs are often >> implemented by xattrs they can also be implemented in other means. >> Which is why libvirt shows '.' for the presence of xattrs that don't >> affect ACL. >> >> On a Linux system, look at the output of 'getfacl' on a directory and >> file, where the directory shows with '+' but the file does not, to >> compare the two different ACL settings. > > My problem with ACL settings is that they are still user-based, > and our biggest security problem these days is not with root > trusting users, it's with users trusting software. We need > user-based permissions, certainly, to allow root to stop > malicious hackers from compromising the system, but now we > also need software-based permissions, to allow users to stop > buggy or malicious but unsuspected programs from using their > own privileges to compromise their own assets. > > This follows directly from the fact that users - not just > root, but people who have ordinary user accounts - are now > running programs which they are not themselves competent > to examine or bugfix or even evaluate as security risks, > while simultaneously trying to protect assets which are > terrifyingly valuable (bitcoin wallets, customer credit > card databases, etc) or damaging if compromised, but which > have nothing to do with the system security that classical > permissions (and ACLs) are designed to protect. > > The users need to be able to manage the delegation to programs > of their own privileges over files and network access. So a > user ought to be able to enter a 'chmod-like' command to say > that their rights to read and write their customer database > may be extended to absolutely no program other than their > accounting software, and then not worry about insecure > downloaded software or buggy browsers exploited by malicious > mobile code, etc, gaining their own privileges and using them > to steal that file. Or, just as important, that their network > access privilege may not be delegated to programs other than > those which access the network for known purposes that the > user approves of, nor may those programs delegate these > permissions to any others. > > Is there any way on a linux system to give particular programs > different permissions other than having them pretend to be a > different user or setting up a dedicated VM for every damned > application? I sort of don't want thousands of fake users > (or tens of thousands of VMs) on my system; it's abuse of > mechanisms intended for something else, and can't reasonably > be managed by the users themselves whose assets we need them > to have a way to protect. > > Bear
Seems like you're describing Mandatory Access Control (compared to the traditional Discretionary Access Control). The kernel will first do DAC checks (file permissions + ACLs), then MAC checks (implemented by various LSMs in the Linux kernel). SELinux is one of the most well known MAC implementations on Linux. cheers, Pádraig.
