From owner-freebsd-security@FreeBSD.ORG Tue May 9 16:22:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7765C16A473; Tue, 9 May 2006 16:22:07 +0000 (UTC) (envelope-from borjamar@sarenet.es) Received: from smtp1.sarenet.es (smtp1.sarenet.es [194.30.0.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00B1843D48; Tue, 9 May 2006 16:22:06 +0000 (GMT) (envelope-from borjamar@sarenet.es) Received: from [127.0.0.1] (borja.sarenet.es [192.148.167.77]) by smtp1.sarenet.es (Postfix) with ESMTP id 7241019B; Tue, 9 May 2006 18:22:05 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v749.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Borja Marcos Date: Tue, 9 May 2006 18:22:05 +0200 To: doc@freebsd.org X-Mailer: Apple Mail (2.749.3) Cc: freebsd-security@freebsd.org Subject: Errors in the FreeBSD handbook (MAC framework) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 16:22:07 -0000 (crossposted to freebsd-security just in case someone has to slap me) :) Hello, I'm doing some work with the MAC subsystem in FreeBSD, and I have spotted some errors in the MAC documentation in the handbook. 1- Section 15.14.4. Error in the example dropping users "nagios" and "www" into the insecure class. The example uses the command "pw usermod nagios -L default" when it should obviously be "pw usermod nagios -L insecure". The same holds for the "www" user. 2- Section 15.14.6. The example script launches the commands "apachectl", and "/usr/local/ etc/rc.d/nagios.sh" with the label biba/10, but they should be launched with the label biba/10(10-10). I've defined the "default" login class with a label of "biba/high". I login at the machine as root, and... ----- # getpmac biba/high(low-high) # setpmac biba/low getpmac biba/low(low-high) # setpmac biba/low setpmac biba/high getpmac biba/high(low-high) So, if I launch a process with a "setpmac biba/low", it actually inherits a label of "biba/low(high-low)", being able to recover its biba/high setting, something that wouldn't be desirable. However, launching it with a label of "biba/low(low-low)" effectively downgrades the process forever # setpmac "biba/low(low-low)" getpmac biba/low(low-low) # setpmac "biba/low(low-low)" setpmac biba/high getpmac biba/high: Operation not permitted Best regards, Borja.