[ale] Filesystem security under Linux (Was: Re: OT was software modems)

Greg Freemyer greg.freemyer at gmail.com
Fri Dec 8 09:58:48 EST 2006


Mike,

In Linux (2.4.? and all of 2.6 series) they implemented File Access Control
Lists.  (ACLs).  IIRC, you can use ACLs to restrict file access such that
root does not have access.  I believe SELinux builds on that standard Linux
feature.

Not all filesystems support ACLs, but xfs does for sure even in a vanilla
kernel.  ext2/ext3 may require patches but they've been around for several
years at least and I would be surprised if there not in the vanilla kernel.

I can't say I've worried about it too much.  I've only used XFS ACLs w/Samba
to implement NTFS ACL support.  (Not perfect, but better than nothing.)

Not sure how that compares to FreeBSD security.

Greg

On 12/8/06, Michael B. Trausch <fd0man at gmail.com> wrote:
>
>  On Tue, 2006-12-05 at 10:24 -0500, Scott Castaline wrote:
> [snip]
>
> until the completion of the call(hang-up). This also prevented at leastthe operators from "doctoring" the DV file creation process. The filesalso were owned by root with no access by the telemarketing staff.Situations where the staff had root access the files were owned by someother "special user" that they could not access, so again no "Doctoring"of the files after the fact. If memory serves me correctly this was
>
>
> Files like this sound like good candidates for higher-than-root security
> mechanisms.  For example, in FreeBSD you can have the files be "schg" which
> prevents them from being altered -- even by the root user.  Assuming that
> BSD securelevels are used, even the root user cannot change the schg (e.g.,
> remove the flag, or alter the file) without bringing the system completely
> down, rebooting it, and interfering with the boot processes such that the
> system doesn't make it to a more secure level so that they can remove the
> schg flag.
>
> Linux has the chattr thing, but IIRC, there isn't anything like BSD
> securelevels which would help to block even root.  Does anyone know if any
> progress has actually been made under Linux like the BSD securelevels?
> Would this be something that perhaps SELinux or something would do?  I can't
> seem to find anything related to BSD securelevels for Linux.
>
>     -- Mike
>
> --
>   Michael B. Trausch  fd0man at gmail.com
>   Phone: (404) 592-5746   Jabber IM:  fd0man at gmail.com
> fd0man at livejournal.com
>   *Demand Freedom!  Use **open** and **free** protocols, standards, and
> software!*
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
>
>


-- 
Greg Freemyer
The Norcross Group
Forensics for the 21st Century
-------------- next part --------------
An HTML attachment was scrubbed...




More information about the Ale mailing list