As I understand SELinux, mandatory access controls and labels, the 
security administrator can set up a security policy that will lock root 
out of everything.  Granted that is not very useful, but it is a 
demonstration of separation of privilege, and severely restricts what a 
person can do.

The goal of this requirement is to prevent an attacker who may have 
gained root from reading the mail queue.

George Toft, CISSP, MSIS
623-203-1760

"That which does not kill us makes us stronger."



Darrin Chandler wrote:
> George Toft wrote:
> 
>>Requirements:
>>2. Files owned by vpopmail:vchkpw can only be read by said user:group - 
>>this includes root.  We need to lock root (and every other user) out of 
>>the messages.
>>  
> 
> 
>>#2 sounds like a job for SELinux.  Alternatives are welcome :)
>>  
> 
> 
> You mean keep out junior sysadmins who have root access, or really keep 
> root out? I don't know of any way to really keep root out. Root has 
> access to everything. Period. Crypto can't solve it, unless the system 
> only has access to the cyphertext (if you encrypt/decrypt locally then 
> root can read the plaintext from memory, and/or get the key and read 
> everything). Different schemes have been proposed and implemented so 
> that root can't do this or that but none that I know of really work 
> against a sophisticated attacker, because in *nix "root == the system."
> 
> If you (wisely) take it as a given that root can compromise your box, 
> then your problem becomes locking down root access. There are pretty 
> effective, well known ways to do that.
> 
> 
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss