From owner-freebsd-security@FreeBSD.ORG  Wed Jan  7 12:37:10 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C0E2E16A4CE
	for <freebsd-security@freebsd.org>;
	Wed,  7 Jan 2004 12:37:10 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9135F43D2D
	for <freebsd-security@freebsd.org>;
	Wed,  7 Jan 2004 12:37:09 -0800 (PST)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.10/8.12.10) with ESMTP id i07KZIUd010601;
	Wed, 7 Jan 2004 15:35:18 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)i07KYu9D010583;
	Wed, 7 Jan 2004 15:35:00 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Wed, 7 Jan 2004 15:34:56 -0500 (EST)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Peter Pentchev <roam@ringlet.net>
In-Reply-To: <20040105072833.GA691@straylight.m.ringlet.net>
Message-ID: <Pine.NEB.3.96L.1040107153355.6025E-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-security@freebsd.org
cc: Jaroslaw Nozderko <jarek@eko.net.pl>
Subject: Re: Questions about MAC
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jan 2004 20:37:10 -0000


On Mon, 5 Jan 2004, Peter Pentchev wrote:

> The 'sudo echo blah >> foo' command does not succeed, since the
> redirection is attempted by my own shell still running as my own
> account, 'roam', which does not have write access to the new file; only
> the 'echo blah' command is executed with root privileges.  The next
> attempt, executing a shell to perform the redirection, succeeds. 

FYI, sudo hasn't been modified to set MAC labels, so if you do use sudo,
use it carefully.  It might make sense to stick sudo in the base tree
someday (Apple does this with Darwin), and if so, it would be ripe for the
picking when it comes to adding MAC support.

Your diagnosis of the redirect running with the wrong label sounds correct
to me, also FYI.  :-)

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Senior Research Scientist, McAfee Research