From owner-freebsd-security@FreeBSD.ORG Sat Oct 14 08:50:23 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78FF016A685 for ; Sat, 14 Oct 2006 08:50:23 +0000 (UTC) (envelope-from yeahchang@vip.sina.com) Received: from smtp.vip.sina.com (smtp.vip.sina.com [202.108.3.172]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC9A443D76 for ; Sat, 14 Oct 2006 08:50:20 +0000 (GMT) (envelope-from yeahchang@vip.sina.com) Received: from zhangamuufcjz4 (unknown [219.236.16.240]) by smtp.vip.sina.com (SINAMAIL) with ESMTP id B40D314DDD72; Sat, 14 Oct 2006 16:50:17 +0800 (CST) From: "Zhang Ye" To: "'Borja Marcos'" Date: Sat, 14 Oct 2006 16:50:09 +0800 Message-ID: <000601c6ef6d$c50dfda0$0b00a8c0@zhangamuufcjz4> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 In-Reply-To: <588E5B66-F621-4639-9F56-A65A2DFC471A@SARENET.ES> Thread-Index: AcbseNrv2LVgTeGFQLCqJXdGb/5SIgC8cygg X-Mailman-Approved-At: Sat, 14 Oct 2006 11:43:41 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Proposal: MAC_BIBA and real-world usage X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Oct 2006 08:50:23 -0000 Hello Borja, I think you may use the "multilabe" with the combination of both Biba = and Bell-LaPadula(Multi-Level) access control model to overcome it(just = like Lipner's). And it SHOULD have discretionary mechanism in the = Bell-LaPadula model but I don't know whether or not in FreeBSD. Moreover, the Biba(and Bell-LaPadula) is more suitable in the scenario = of army. And there are many models, such as "Chinese Wall" model, for = the commerce environment. They are more flexible. Zhang Ye -----original message----- Hello, Are there many people actually using the MAC subsystem in the real =20 world? I have been working to set up a shared hosting webserver and =20 I've stumbled against some limitations with the BIBA policy. In short, it's an excellent model, and can be used succesfully if =20 applications are aware of its existance, but I find it incompatible =20 with the real-world needs in Unix, and, worse, when none of the =20 applications we are using are prepared to take advantage of it. So it =20 should be as transparent as possible. I started the project with some goals: 1) Users are kept isolated. This isn't so obvious, as by design =20 Apache should run as an unprivileged user. The mac_bsdextended policy =20 can implement an additional layer of security. In my case, hosting =20 users are given uids belonging to an interval, and there is a ugidfw =20 rule that states that subjects with an uid withing that range can =20 only access objects belonging to the same user in case their uid is =20 within the interval as well. I didn't use MAC compartments because =20 there is a limit on the number of compartments. Users are allowed to run CGIs and PHP scripts, and PHP is ran as CGI, =20 so that each process will have the uid of its owner. Launching PHP as =20 a CGI hurts performance, but this is a server for relatively low-=20 volume sites, and security is much more important. 2) OS Integrity. Apache is launched with biba/low(low-low) credentials. 3) Defacements should be prevented. At least processes spawned from =20 Apache should not be able to modify any files in the system, except =20 at designated directories in case PHP scripts or CGI programs need to =20 write something to the disk. This is naturally done with MAC_BIBA. We =20 launch Apache with biba/low(low-low) credentials. 4) FTP access for site mainteinance. We assign each user an account, =20 which will be used to update their files. The ftp accounts have a low =20 integrity credential assigned, but anyway higher than biba/low so =20 that files uploaded by users are safe from being modified by Apache. However, this has a problem: Files created/modified from PHP and/or =20 CGIs will be labelled biba/low. And the ftp process, with, say, biba/=20 100, will be unable to read them. We could create two user accounts =20 per user but it's just too confusing and error prone. What about adding a discretionary mechanism to MAC_BIBA? It would be =20 useful to have the possibilty of implementing half of the BIBA =20 protection, preventing high integrity objects from being modified by =20 low integrity subjects, but allowing high integrity subjects to read =20 low-integrity objects. Of course it weakens the BIBA model, but used wisely it could really =20 help. Instead of a global sysctl flag, which would disable one of the =20 great BIBA features, it could be done selectively for some processes =20 (in my case, ftp accounts) specifying a negative value. So, a subject with biba/-N would be: - unable to modify objects with a higher than N integrity level - able to read objects with a lower than N integrity level, instead =20 of being limited to objects with an integrity level equal to N. What do you think? Any ideas? Borja. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org"