Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 5 Jan 2004 09:28:33 +0200
From:      Peter Pentchev <roam@ringlet.net>
To:        Jaroslaw Nozderko <jarek@eko.net.pl>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Questions about MAC
Message-ID:  <20040105072833.GA691@straylight.m.ringlet.net>
In-Reply-To: <200401030050.24139.jarek@eko.net.pl>
References:  <200401030050.24139.jarek@eko.net.pl>

next in thread | previous in thread | raw e-mail | index | archive | help

--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=windows-1251
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jan 03, 2004 at 12:50:24AM +0100, Jaroslaw Nozderko wrote:
> FreeBSD 5.1-RELEASE
>=20
> Hi,
>=20
> I'm examining Biba and MLS MAC policies and something is
> not clear for me. Unless I'm doing something wrong,
> it seems policies are enforced only for reading, but
> not writing.
>=20
> 1) Biba
>=20
> I've created test file with biba/127 label:
>=20
> $ echo "Message" > file_biba_127.txt
>=20
> $ setfmac biba/127 file_biba_127.txt
[snip]
> - Writing:
>=20
> $ setpmac biba/high echo "High" >> file_biba_127.txt
>=20
> $ setpmac biba/128 echo "128" >> file_biba_127.txt
>=20
> $ setpmac biba/127 echo "127" >> file_biba_127.txt
>=20
> -- Should the following 2 commands succeed ?
> $ setpmac biba/126 echo "126" >> file_biba_127.txt
> $ setpmac biba/low echo "low" >> file_biba_127.txt

What happens if you try:

  setpmac biba/126 sh -c 'echo "126" >> file_biba_127.txt'
  setpmac biba/low sh -c 'echo "126" >> file_biba_127.txt'

Using your commands, the policy set by setpmac(8) only applies to the
echo command itself, not to the attempt to write to the file.  The file
appending is handled by your shell - all redirections are handled by the
shell - and the shell is *not* subject to policy restrictions set by its
own child processes.

This is the same "issue" that you can see by trying the following:

[roam@straylight ~]> whoami
roam
[roam@straylight ~]> who am i
roam             ttyp3     5 =DF=ED=F3 08:42 (10.0.12.18:S.3)
[roam@straylight ~]> id
uid=3D1000(roam) gid=3D0(wheel) groups=3D0(wheel), 5(operator)
[roam@straylight ~]> sudo touch foo
otp-md5 452 st7459 ext
Password:
[roam@straylight ~]> sudo chmod 600 foo
[roam@straylight ~]> cat foo
cat: foo: Permission denied
[roam@straylight ~]> sudo echo blah >> foo
foo: Permission denied.
[roam@straylight ~]> sudo sh -c 'echo blah >> foo'
[roam@straylight ~]> cat foo
cat: foo: Permission denied
[roam@straylight ~]> sudo cat foo
blah
[roam@straylight ~]>

The 'sudo echo blah >> foo' command does not succeed, since the
redirection is attempted by my own shell still running as my own
account, 'roam', which does not have write access to the new file; only
the 'echo blah' command is executed with root privileges.  The next
attempt, executing a shell to perform the redirection, succeeds.

G'luck,
Peter

--=20
Peter Pentchev	roam@ringlet.net    roam@sbnd.net    roam@FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
I've heard that this sentence is a rumor.

--ikeVEW9yuYc//A+q
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQE/+RIh7Ri2jRYZRVMRArJ4AKCFXYAVIdKSLSk8VzVtsGCBVbkFzQCeMLb5
SddHMa+T+ddivolfaWWI+Wk=
=hSjr
-----END PGP SIGNATURE-----

--ikeVEW9yuYc//A+q--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040105072833.GA691>