[rsbac] Válasz: Re: [rsbac] role set ff flags?
rsbac@rsbac.org
rsbac@rsbac.org
Thu Nov 28 08:21:01 2002
This is a multipart message in MIME format.
--=_alternative 0027CFD3C1256C7F_=
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
Like RedHat. /var/lib/rpm=20
Anno I tried to play with FF settings to achive same result. It is very=20
good for additional security but not as flexible as RC. I suggest you to=20
try to do the same with RC. Create new FD like VAR=5FFD. Set it to /var.=20
Give everybody the same rights as with FF. Create a new FD e.g. VAR=5FAP=5F=
FD=20
for /var/adm/packages and new role like RPM=5FRC for your packet manager.=20
Set up the necessary rights. Noone but your packet manager will be able to =
write and modify this directory.. See Amon's description on www.rsbac.org
By the way: setting and unsetting FF flags works OK but what happens=20
meantime? Some malicious code could do severe damage to your system. I=20
think setting flags on-fly is perhaps not the best solution. And do not=20
forget: if you can switch it off , someone else could also do it.
Best regards,
Gabor=20
ghorvath@minolta.hu
"Josh Beagley" <j.beagley@student.qut.edu.au>
Felad=F3: rsbac-admin@rsbac.org
2002.11.27 16:18
K=E9rem, v=E1laszoljon ennek a szem=E9lynek: rsbac
=20
C=EDmzett: rsbac@rsbac.org
M=E1solat:=20
T=E1rgy: Re: [rsbac] role set ff flags?
>=A0On Wednesday, 27. November 2002 15:10, Josh Beagley wrote:
>=A0> I am currently A slackware user, and and ideally wanted to have
>=A0my /var > directories except run and some others set to
>=A0no=5Fdelete=5For=5Frename and > no=5Fexecute with ff=5Fflags. However =
the
>=A0slackware install programs need write > access whenever I choose
>=A0to install/uninstall packages. Is it possible for > a role to
>=A0set/unset FF flags?
>=A0
>=A0The FF model requires a user with FF role set to Security Officer
>=A0to (un)set flags.
>=A0
>=A0What is the problem here? You can do everything with and inside
>=A0the dir, except rename or delete the dir itself. If the
>=A0installer needs to run programs somewhere below, then you need
>=A0another solution.
>=A0
>=A0Amon.
>=A0--
>=A0http://www.rsbac.org
>=A0=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
>=A0rsbac mailing list
>=A0rsbac@rsbac.org
>=A0http://www.rsbac.org/mailman/listinfo/rsbac
Apoligies, I also had append=5Fonly. The slackware installer keeps track of
instlled packages by writing the package name to /var/adm/packages and
filling it with the location of files. I was wanting to only have it unset
append=5Fonly when the installer was run, and unset append=5Fonly and
no=5Fdelete=5For=5Frename when the uninstaller was run.
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
rsbac mailing list
rsbac@rsbac.org
http://www.rsbac.org/mailman/listinfo/rsbac
--=_alternative 0027CFD3C1256C7F_=
Content-Type: text/html; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
<br><font size=3D2 face=3D"sans-serif">Like RedHat. /var/lib/rpm </font>
<br><font size=3D2 face=3D"sans-serif">Anno I tried to play with FF setting=
s to achive same result. It is very good for additional security but not as=
flexible as RC. I suggest you to try to do the same with RC. Create new FD=
like VAR=5FFD. Set it to /var. Give everybody the same rights as with FF. =
Create a new FD e.g. VAR=5FAP=5FFD for /var/adm/packages and new role like =
RPM=5FRC for your packet manager. Set up the necessary rights. Noone but yo=
ur packet manager will be able to write and modify this directory.. See Amo=
n's description on www.rsbac.org</font>
<br>
<br><font size=3D2 face=3D"sans-serif">By the way: setting and unsetting FF=
flags works OK but what happens meantime? Some malicious code could do sev=
ere damage to your system. I think setting flags on-fly is perhaps not the =
best solution. And do not forget: if you can switch it off , someone else c=
ould also do it.</font>
<br>
<br><font size=3D2 face=3D"sans-serif">Best regards,</font>
<br>
<br><font size=3D2 face=3D"sans-serif">Gabor </font>
<br><font size=3D2 face=3D"sans-serif">ghorvath@minolta.hu</font>
<br>
<br>
<br>
<br>
<table width=3D100%>
<tr valign=3Dtop>
<td>
<td><font size=3D1 face=3D"sans-serif"><b>"Josh Beagley" <j.be=
agley@student.qut.edu.au></b></font>
<br><font size=3D1 face=3D"sans-serif">Felad=F3: rsbac-admin@rsbac.org</fon=
t>
<p><font size=3D1 face=3D"sans-serif">2002.11.27 16:18</font>
<br><font size=3D1 face=3D"sans-serif">K=E9rem, v=E1laszoljon ennek a szem=
=E9lynek: rsbac</font>
<br>
<td><font size=3D1 face=3D"Arial"> </font>
<br><font size=3D1 face=3D"sans-serif"> &=
nbsp; C=EDmzett: rsbac@rsb=
ac.org</font>
<br><font size=3D1 face=3D"sans-serif"> &=
nbsp; M=E1solat: </font>
<br><font size=3D1 face=3D"sans-serif"> &=
nbsp; T=E1rgy:  =
; Re: [rsbac] role set ff flags?</font></table>
<br>
<br>
<br><font size=3D2 face=3D"Courier New">>=A0On Wednesday, 27. November 2=
002 15:10, Josh Beagley wrote:<br>
>=A0> I am currently A slackware user, and and ideally wanted to have=
<br>
>=A0my /var > directories except run and some others set to<br>
>=A0no=5Fdelete=5For=5Frename and > no=5Fexecute with ff=5Fflag=
s. However the<br>
>=A0slackware install programs need write > access whenever I choose<=
br>
>=A0to install/uninstall packages. Is it possible for > a role to<br>
>=A0set/unset FF flags?<br>
>=A0<br>
>=A0The FF model requires a user with FF role set to Security Officer<br>
>=A0to (un)set flags.<br>
>=A0<br>
>=A0What is the problem here? You can do everything with and inside<br>
>=A0the dir, except rename or delete the dir itself. If the<br>
>=A0installer needs to run programs somewhere below, then you need=
<br>
>=A0another solution.<br>
>=A0<br>
>=A0Amon.<br>
>=A0--<br>
>=A0http://www.rsbac.org<br>
>=A0=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
<br>
>=A0rsbac mailing list<br>
>=A0rsbac@rsbac.org<br>
>=A0http://www.rsbac.org/mailman/listinfo/rsbac<br>
<br>
<br>
Apoligies, I also had append=5Fonly. The slackware installer keeps track of=
<br>
instlled packages by writing the package name to /var/adm/packages and<br>
filling it with the location of files. I was wanting to only have it unset<=
br>
append=5Fonly when the installer was run, and unset append=5Fonly and<br>
no=5Fdelete=5For=5Frename when the uninstaller was run.<br>
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F<br>
rsbac mailing list<br>
rsbac@rsbac.org<br>
http://www.rsbac.org/mailman/listinfo/rsbac<br>
</font>
<br>
<br>
--=_alternative 0027CFD3C1256C7F_=--