From owner-freebsd-security@FreeBSD.ORG Sun Jan 4 23:27:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B055F16A4D5 for ; Sun, 4 Jan 2004 23:27:57 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 8118743D2F for ; Sun, 4 Jan 2004 23:27:32 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 5504 invoked from network); 5 Jan 2004 07:25:15 -0000 Received: from office.sbnd.net (HELO straylight.m.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 5 Jan 2004 07:25:14 -0000 Received: (qmail 5768 invoked by uid 1000); 5 Jan 2004 07:28:33 -0000 Date: Mon, 5 Jan 2004 09:28:33 +0200 From: Peter Pentchev To: Jaroslaw Nozderko Message-ID: <20040105072833.GA691@straylight.m.ringlet.net> Mail-Followup-To: Jaroslaw Nozderko , freebsd-security@freebsd.org References: <200401030050.24139.jarek@eko.net.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ikeVEW9yuYc//A+q" Content-Disposition: inline In-Reply-To: <200401030050.24139.jarek@eko.net.pl> User-Agent: Mutt/1.5.5.1i cc: freebsd-security@freebsd.org Subject: Re: Questions about MAC X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2004 07:27:57 -0000 --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 03, 2004 at 12:50:24AM +0100, Jaroslaw Nozderko wrote: > FreeBSD 5.1-RELEASE >=20 > Hi, >=20 > I'm examining Biba and MLS MAC policies and something is > not clear for me. Unless I'm doing something wrong, > it seems policies are enforced only for reading, but > not writing. >=20 > 1) Biba >=20 > I've created test file with biba/127 label: >=20 > $ echo "Message" > file_biba_127.txt >=20 > $ setfmac biba/127 file_biba_127.txt [snip] > - Writing: >=20 > $ setpmac biba/high echo "High" >> file_biba_127.txt >=20 > $ setpmac biba/128 echo "128" >> file_biba_127.txt >=20 > $ setpmac biba/127 echo "127" >> file_biba_127.txt >=20 > -- Should the following 2 commands succeed ? > $ setpmac biba/126 echo "126" >> file_biba_127.txt > $ setpmac biba/low echo "low" >> file_biba_127.txt What happens if you try: setpmac biba/126 sh -c 'echo "126" >> file_biba_127.txt' setpmac biba/low sh -c 'echo "126" >> file_biba_127.txt' Using your commands, the policy set by setpmac(8) only applies to the echo command itself, not to the attempt to write to the file. The file appending is handled by your shell - all redirections are handled by the shell - and the shell is *not* subject to policy restrictions set by its own child processes. This is the same "issue" that you can see by trying the following: [roam@straylight ~]> whoami roam [roam@straylight ~]> who am i roam ttyp3 5 =DF=ED=F3 08:42 (10.0.12.18:S.3) [roam@straylight ~]> id uid=3D1000(roam) gid=3D0(wheel) groups=3D0(wheel), 5(operator) [roam@straylight ~]> sudo touch foo otp-md5 452 st7459 ext Password: [roam@straylight ~]> sudo chmod 600 foo [roam@straylight ~]> cat foo cat: foo: Permission denied [roam@straylight ~]> sudo echo blah >> foo foo: Permission denied. [roam@straylight ~]> sudo sh -c 'echo blah >> foo' [roam@straylight ~]> cat foo cat: foo: Permission denied [roam@straylight ~]> sudo cat foo blah [roam@straylight ~]> The 'sudo echo blah >> foo' command does not succeed, since the redirection is attempted by my own shell still running as my own account, 'roam', which does not have write access to the new file; only the 'echo blah' command is executed with root privileges. The next attempt, executing a shell to perform the redirection, succeeds. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I've heard that this sentence is a rumor. --ikeVEW9yuYc//A+q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQE/+RIh7Ri2jRYZRVMRArJ4AKCFXYAVIdKSLSk8VzVtsGCBVbkFzQCeMLb5 SddHMa+T+ddivolfaWWI+Wk= =hSjr -----END PGP SIGNATURE----- --ikeVEW9yuYc//A+q--