Hi,
On Mon, Sep 24, 2007 at 04:31:22PM +0100, Brian Candler wrote:
> On Sun, Sep 23, 2007 at 10:54:06PM +0100, Rui Miguel Silva Seabra wrote:
> > On Sat, Sep 22, 2007 at 06:47:46PM -0500, L. V. Lammert wrote:
> > > OBSD is UNIX, .. SELinux is Linux. If you want a secure, efficient,
> > > compact OS done by folks you can trust and actually talk to, use OBSD; if
> > > you want 'fairly secure Linux' [which has had thousands of hand in it
> > > including NSA, as mentioned previousy], use OpenSUSE with ***AppArmor***.
> > > Simple and easy to implement, even by less senior Admins.
> >
> > Can you say "root can only run this and that application when su'ed from
> > that guy, and may not open any net connection, but open this file and none
> > else" in OpenBSD? If so, how can I do it? :)
>
> You solve the problem a different way:
>
> - You don't give the guy root access, but their own userid
The guy can be some stupid binary software with an "if(uid!=root) bail();"
> - You set file permissions so this userid can read only the file of interest
"none else" => find / -type f -exec chmod o-r \{\} \; is a lot of overkill....
> - You use pf rules so that this user ID cannot send network packets
>
> - If this guy needs root for something (e.g. to bind to port 80), then you
> write a three-line setuid root wrapper which binds to port 80 for them.
> If you have a lot of this to do, then consider an 'open server' which
> returns the open file descriptor.
All in all, forms of doing it all, but doing all you described creates a lot
more work than creating an SELinux policy :)
Best,
Rui
--
Umlaut Zebra o?=ber alles!
Today is Boomtime, the 48th day of Bureaucracy in the YOLD 3173
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?
