filesystem access security

hurd-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

filesystem access security

From:	Marcus Brinkmann
Subject:	filesystem access security
Date:	Sun, 12 Oct 2003 15:42:15 +0200
User-agent:	Mutt/1.5.4i

Hi,

when I was in Karlsruhe to meet some other guys, Wolfgang (I think) had the
following idea about improving the security of the filesystem access in the
Hurd.  The test case is a firmlink to / in /tmp, created by a malicious
user, and "rm -fR /tmp/*".  Of course, we have a special routine in our boot
script to clean tmp, but are we going to rewrite Unix system administration
manuals?  Are we going to fix all scripts which access user's home
directories for writing, starting from deluser?

There is something inherently suspicious about accessing other, untrusted
people's filesystems.  And we better have a way to make it possible to
ensure that it is not going to happen.

So, the idea was that you can specify the list of users you trust.  By
default, this would be root, and yourself.  Maybe a special range of user
ids that are "system users" (1-9999 on Debian, for example).  You can
grant/restrict access by setting an environment variable, and glibc will
then use this list of users to check if a translated should be looked up
resolving the translator, or ignoring it.  The idea is that if root uses the
default setting, he will not see any user's translators transparently, and
rm -fR can never harm him.

Other users who cooperate can trust each other, and see each others
translators.  A similar feature could be provided for groups, and
appropriate rules defined.

This requires that glibc always does a secure lookup, and then inspects the
node to decide if it wants to resolve the translator or not.  This adds a
small cost to all cross-translator lookups, but cross-translator lookups are
expensive already anyway.

I think this is a critical security feature for a real world multi-user
environment.  If you have comments, ideas, etc, I would appreciate to hear
about it.

Thanks,
Marcus


-- 
`Rhubarb is no Egyptian god.' GNU      http://www.gnu.org    address@hidden
Marcus Brinkmann              The Hurd http://www.gnu.org/software/hurd/
address@hidden
http://www.marcus-brinkmann.de/

[Prev in Thread]

Current Thread

[Next in Thread]

filesystem access security, Marcus Brinkmann <=

Prev by Date: io_identity?
Next by Date: Re: io_identity?
Previous by thread: io_identity?
Index(es):
- Date
- Thread