Date: Sun, 7 Apr 2013 23:44:49 GMT From: "Kevin P. Barry" <ta0kira@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: docs/177699: Documentation (handbook and manpage) for mac_biba doesn't mention its impacts on root privileges. Message-ID: <201304072344.r37NinjR043593@red.freebsd.org> Resent-Message-ID: <201304072350.r37No0v3022101@freefall.freebsd.org>
index | next in thread | raw e-mail
>Number: 177699 >Category: docs >Synopsis: Documentation (handbook and manpage) for mac_biba doesn't mention its impacts on root privileges. >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Sun Apr 07 23:50:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Kevin P. Barry >Release: 9.1-RELEASE amd64 >Organization: >Environment: >Description: The documentation for mac_biba (`man mac_biba` and http://www.freebsd.org/doc/en/books/handbook/mac-biba.html) completely neglects to mention that certain root privileges are lost if a process cannot attain biba/equal. A few examples of those privileges: setting the login class of a process; changing audit settings with auditon(2). Importantly, the latter prevents users from using su and sudo if their MAC label isn't compatible with biba/equal. Whether or not this is a core feature of the FreeBSD Biba implementation, users should be made aware of it up front in the documentation. I figured it out because I'm well-versed in C and I spent a few days tracking down why I couldn't use su and sudo; however, the majority of FreeBSD users probably aren't C programmers. >How-To-Repeat: Please note that the steps below reproduce one of the *undocumented* behaviors of mac_biba. The problem is the lack of documentation, not the behavior. - Enable mac_biba. - Given a username "user", try `setpmac 'biba/high(high-high)' su user true`. You should get "Permission denied", as well as a message referencing auditon failure in /var/log/messages. >Fix: The list of privileges lost if the process cannot attain biba/equal are available in biba_priv_check (/usr/src/sys/security/mac_biba/mac_biba.c:1868). Additionally, everywhere the biba_subject_privileged function is used in mac_biba.c indicates some sort of kernel functionality that is blocked. >Release-Note: >Audit-Trail: >Unformatted:home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201304072344.r37NinjR043593>