Re: /sbin/reboot and secmodel

To: "Steven M. Bellovin" <smb%cs.columbia.edu@localhost>
Subject: Re: /sbin/reboot and secmodel
From: Elad Efrat <elad%NetBSD.org@localhost>
Date: Mon, 17 Mar 2008 17:49:46 +0200

Steven M. Bellovin wrote:

What occurs to me is to use secmodel to restrict or grant access to the
user-level program that does the shutdown -- that would avoid moving
too much goo to the kernel.


One thing that bothers me with granting access to the program is a
scenario where someone with privilege to reboot is trying to leverage
that privilege to kill arbitrary (or, given the way the killing is done,
specific) processes -- and stopping the program right before reboot(2)
is called.

As long as these phases of the reboot process are done in userland, I
think we're "reboot" implies "arbitrary process killing". Not sure how
much of a *real* issue that is :) but it's there.

Another thing to remember is that the secmodel in question works on
authorizing specific users -- not programs -- to have special privilege,
so it's up to the Emmanuel to decide whether that solution would work
for his needs or not.

-e.

References:
- /sbin/reboot and secmodel
  - From: Emmanuel Vadot
- Re: /sbin/reboot and secmodel
  - From: Elad Efrat
- Re: /sbin/reboot and secmodel
  - From: Steven M. Bellovin

Prev by Date: Re: /sbin/reboot and secmodel
Next by Date: Re: /sbin/reboot and secmodel
Previous by Thread: Re: /sbin/reboot and secmodel
Next by Thread: Re: /sbin/reboot and secmodel
Indexes:

Home | Main Index | Thread Index | Old Index