From owner-freebsd-security@FreeBSD.ORG Wed Jun 12 07:40:48 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id E8B69DBD for ; Wed, 12 Jun 2013 07:40:48 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from nskntmtas02p.mx.bigpond.com (nskntmtas02p.mx.bigpond.com [61.9.168.140]) by mx1.freebsd.org (Postfix) with ESMTP id 89A901767 for ; Wed, 12 Jun 2013 07:40:47 +0000 (UTC) Received: from nskntcmgw05p ([61.9.169.165]) by nskntmtas02p.mx.bigpond.com with ESMTP id <20130612074041.KVNR1968.nskntmtas02p.mx.bigpond.com@nskntcmgw05p>; Wed, 12 Jun 2013 07:40:41 +0000 Received: from hermes.heuristicsystems.com.au ([58.172.113.247]) by nskntcmgw05p with BigPond Outbound id nKgg1l00Y5LKYmq01KghzJ; Wed, 12 Jun 2013 07:40:41 +0000 X-Authority-Analysis: v=2.0 cv=G7ae4qY5 c=1 sm=1 a=YibVxx38Z+cwdCKSMcELyg==:17 a=twTT4oUKOlYA:10 a=kj9zAlcOel0A:10 a=GHIR_BbyAAAA:8 a=0_2LO_3MbHgA:10 a=6I5d2MoRAAAA:8 a=JjkoZ4b7lnnWL_unQGIA:9 a=CjuIK1q_8ugA:10 a=SV7veod9ZcQA:10 a=YibVxx38Z+cwdCKSMcELyg==:117 Received: from white (white.hs [10.0.5.2]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.14.5/8.13.6) with ESMTP id r5C7eMmd020053; Wed, 12 Jun 2013 17:40:24 +1000 (EST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) From: "Dewayne Geraghty" To: References: Subject: RE: libarchive and MAC labels Date: Wed, 12 Jun 2013 17:40:22 +1000 Message-ID: <62DD3F47DDCD4105AC023171CCF8BDA2@white> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: Thread-Index: Ac5l7cGYN6acMYLtTT6W7BkBdTNkAQBTPVtQ X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 X-Mailman-Approved-At: Wed, 12 Jun 2013 11:33:32 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jun 2013 07:40:49 -0000 > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of > priit@cc.ttu.ee > Sent: Tuesday, 11 June 2013 1:10 AM > To: freebsd-security@freebsd.org > Subject: libarchive and MAC labels > > I've created a patch for libarchive that allows storing and > restoring MAC labels from/to a multilabel filesystem using > bsdtar. Now before going anywhere with this I had a few questions: > > - how much general interest is there in such a feature? Would > this be a welcome addition to libarchive, either "upstream" > or as integrated in the system source tree. I would be > especially interested in the opinion of people who have > already been involved with the MAC development. > > - right now the labels are stored silently, similar to ACL-s > and extended attributes. They are not extracted by default, > only when the '-p' option is specified (default as root). > This seems consistent, however it would also be possible to > add a switch so that the labels wouldn't be archived unless > explicitly requested. > > - the labels are stored in text representation, as converted > by mac_to_text(). This could potentially cause some future > breakage, if the text representation ever changes. Also, > restoring a label partially (let's say a biba+MLS label with > only biba enabled) does not work. Any thoughts on that? > > Thanks, > Priit. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" Priit, Thank-you for addressing a significant backup/recovery shortcoming. I've used biba extensively, however if files/directories are backed-up with MLS+biba and recovered in a biba only environment, that is the sysadmin choice. Warning messages are fine, but the restoration should continue (if possible). Regards, Dewayne.