On 8/25/06, Elad Efrat <elad@netbsd.org> wrote:
> Is moving data between classification levels/networks a big problem for
> the NetBSD userbase? or, for the majority of any other mainstream OS's
> userbase?

Well, are any NetBSD systems used in e-commerce or ebanking?

If so, I would want them to protect my financial data the best they could.

Sadly, it seems somewhat common that they leave CC#s in an
easily-readable log file.  All it takes is some buggy PHP code and
poof, they're the apache user, and they've got read access to the
data.  Sometimes they don't need a shell, just a way to read the file
from within PHP.  I don't recall if SELinux has the capability of
granting append-only access, but even if it doesn't you could write a
little "log append" program and grant execute and change domain access
to it and then the apache user ID could be denied direct access to the
file (you can think of it like a small SUID application, except you'd
be doing it with domains instead of UIDs).  I know this isn't a
perfect example, in that you could do it with UIDs or maybe with
append-only attributes on the logfile, so please don't focus on
nitpicking the example; it's the best I could think of on short
notice.

Creating bogus UIDs for containing privileges is a bit of a hassle.
If you don't set a valid shell, certain commands (like su and sudo)
won't allow you to execute commands as that user, and if you do, then
it opens up other opportunities, and managing these bogus UIDs gets
difficult if you're also trying to use NIS or LDAP.  I'm sorry this
complaint isn't well thought-out, but it is making my heterogenous
migration to LDAP at home rather painful.  To change UIDs, you have to
traverse the entire file system and remap them, and that's not
necessary if you are using MAC to do your privelege seperation.
-- 
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484