Blocking root from changing labels

Chris Wright chrisw at osdl.org
Tue Sep 21 05:29:12 GMT 2004 

* Payment Online (snacktime2 at gmail.com) wrote:
> Are there practical methods of blocking root from changing biba/mls
> lables on objects?  Right now I'm thinking of disabling su and only
> allowing root to login at the console.
> 
> Also, if anyone wants to comment on my first attempt at using MAC to
> protect a database server.  I loaded the partition and biba modules,
> setting most of the system at biba/high, the network interface at
> biba/equal(equal-equal), and /var and /tmp at biba/equal.  I also set
> some of the /dev entries at biba/equal.  The database server user
> label is biba/low, and all the database files are biba/low.  Now this
> seems to pretty much lock any other user from getting any access to
> the database files directly, but what am I really gaining by using MAC
> in this setup that I couldn't do with ordinary file permissions?

Ordinary file permissions are discretionary.  So, you've added a
_mandatory_ access control scheme which can limit exploit exposure beyond
what the DAC bits can do.  This could be especially useful if the machine
is providing multiple services (not just database server).

> I guess one thing would be that if there was a bug or misuse of
> postgresql that elevated it's permissions to root, the biba labels
> would block that.

Yup.  Although, my experience is that this is not the likely attack
vector.  In fact, it's often the database itself that contains the
valuable information.  The database processes will require read/write
privilege access to the files (or raw block devices) that contain the
tablespaces/table data.  And it's now up to the applications accessing the
database to be secure.  Esp. in the case of a multi-tiered architecture,
where an application (which could be a poorly coded set of CGI scripts
on an app server) could be tricked via typical sql-injection attacks to
commit bogus transactions.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list