--- Klaus Weidner <[EMAIL PROTECTED]> wrote:
> PTY devices are currently a problem. It's simple for > a user cleared for a > range of labels to create a program that > declassifies information without > needing any special privileges. For example: > > - running at the low level, create a pty > master/slave pair. > > - on the slave end, spawn newrole to switch to a > high level, send your > password through the pty. The newrole analog on one Unix MLS system, "su -M <maclabel>" closes all open descriptors to prevent such a problem. The problem here is not with the pty, rather with newrole, which oughtn't keep descriptors open if it is changing MLS label. > - on the slave end, execute "cat secret_file". > > - as unprivileged process, read the secret data from > the pty master end > and write it to a low file. Casey Schaufler [EMAIL PROTECTED] -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
