Questions about MAC

Peter Pentchev roam at ringlet.net
Sun Jan 4 23:27:57 PST 2004 

On Sat, Jan 03, 2004 at 12:50:24AM +0100, Jaroslaw Nozderko wrote:
> FreeBSD 5.1-RELEASE
> 
> Hi,
> 
> I'm examining Biba and MLS MAC policies and something is
> not clear for me. Unless I'm doing something wrong,
> it seems policies are enforced only for reading, but
> not writing.
> 
> 1) Biba
> 
> I've created test file with biba/127 label:
> 
> $ echo "Message" > file_biba_127.txt
> 
> $ setfmac biba/127 file_biba_127.txt
[snip]
> - Writing:
> 
> $ setpmac biba/high echo "High" >> file_biba_127.txt
> 
> $ setpmac biba/128 echo "128" >> file_biba_127.txt
> 
> $ setpmac biba/127 echo "127" >> file_biba_127.txt
> 
> -- Should the following 2 commands succeed ?
> $ setpmac biba/126 echo "126" >> file_biba_127.txt
> $ setpmac biba/low echo "low" >> file_biba_127.txt

What happens if you try:

  setpmac biba/126 sh -c 'echo "126" >> file_biba_127.txt'
  setpmac biba/low sh -c 'echo "126" >> file_biba_127.txt'

Using your commands, the policy set by setpmac(8) only applies to the
echo command itself, not to the attempt to write to the file.  The file
appending is handled by your shell - all redirections are handled by the
shell - and the shell is *not* subject to policy restrictions set by its
own child processes.

This is the same "issue" that you can see by trying the following:

[roam at straylight ~]> whoami
roam
[roam at straylight ~]> who am i
roam             ttyp3     5 Яну 08:42 (10.0.12.18:S.3)
[roam at straylight ~]> id
uid=1000(roam) gid=0(wheel) groups=0(wheel), 5(operator)
[roam at straylight ~]> sudo touch foo
otp-md5 452 st7459 ext
Password:
[roam at straylight ~]> sudo chmod 600 foo
[roam at straylight ~]> cat foo
cat: foo: Permission denied
[roam at straylight ~]> sudo echo blah >> foo
foo: Permission denied.
[roam at straylight ~]> sudo sh -c 'echo blah >> foo'
[roam at straylight ~]> cat foo
cat: foo: Permission denied
[roam at straylight ~]> sudo cat foo
blah
[roam at straylight ~]>

The 'sudo echo blah >> foo' command does not succeed, since the
redirection is attempted by my own shell still running as my own
account, 'roam', which does not have write access to the new file; only
the 'echo blah' command is executed with root privileges.  The next
attempt, executing a shell to perform the redirection, succeeds.

G'luck,
Peter

-- 
Peter Pentchev	roam at ringlet.net    roam at sbnd.net    roam at FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
I've heard that this sentence is a rumor.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040105/f7ceb929/attachment.bin

More information about the freebsd-security mailing list