[rsbac] DAZ & cache
Andrea Pasquinucci
cesare at ucci.it
Thu Sep 29 09:41:45 CEST 2005
Hi, I am here again, sorry folks...
I am using DAZ and I notice something that I do not like too much, even
if I do not know what it could be done about it.
I have done the following tests having created a directory which is not
scanned by clamd ("ClamukoExcludePath /somedir/NOCHECK/")
TEST 1
- try to access a virus in /somedir/CHECK/ => access denied = OK
- mv /somedir/CHECK/virus /somedir/NOCHECK/ => success = OK
- less /somedir/NOCHECK/virus => success = OK
- mv /somedir/NOCHECK/virus /somedir/CHECK/ => success = OK
- less /somedir/NOCHECK/virus => success ???? NOT OK!!
well I do understand that the cache has tricked me. In accessing the
file in the NOCHECK directory, the inode has been marked as CLEAN, then
I moved the file in the same partition, the inode has not changed, so it
is still marked as CLEAN. Well my point here is that when DAZ checks the
file in /somedir/NOCHECK/, clamd should answer "NO CHECK" or something
similar, now what should be put in cache? My understanding is that it is
put CLEAN, but why not put "UNKNOWN" in cache? I guess the answer is
that in this case every time a file is accessed in the NOCHECK dir there
will be nothing in the cache and clamd should be called, with a lot of
extra work of course, but much less security. If I am correct, I would
propose to introduce a switch at some level (kernel config or admin
utils) to let a user decide what should be put in cache if clamd answers
"not checking in this dir"
TEST 2
same as test 1 but instead of "mv /somedir/NOCHECK/virus
/somedir/CHECK/", I do "cp /somedir/NOCHECK/virus /somedir/CHECK/". Also
the results are the same, but now the inode are different!!! Why? I
guess that in creating the new file, the DAZ cache of the parent is
copied to it, but this I do not understand really ????????????
TEST 3 same as test 2 but I move or copy the file to a different
partition, nothing changes, still access!!!!
(Obviously if I use daz_flush then the virus is not accessed in any
CHECK dir)
Can we do something about it? As another proposal I would suggest to do
something at least at the level of partitions, that is when I mv/cp
files between partitions, they should not inherit the DAZ cache flag
the parent had. In this way we could say that it is really safe to use
ClamukoExcludePath for partitions.
What do you think? Am I completely off???????????????
Andrea
--
Andrea Pasquinucci cesare at ucci.it
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint = 569B 37F6 45A4 1A17 E06F CCBB CB51 2983 6494 0DA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://rsbac.dyndns.org/pipermail/rsbac/attachments/20050929/76c8db8a/attachment.bin
More information about the rsbac
mailing list