Another good implementation of securing access to system as a whole is GRSEC (using Role Based Access Control "RBAC"). Its infinitely granular restricting system calls and what hardware is accessed by whatever you configure. I know it sounds complex at first.. thats because it is but IMO a great addition to the fairly loose kernel. The thing is once you have a system setup you can copy its configuration and deploy as necessary. At the end of the day all the ACL in the world are useless when a user can run the (right/wrong) suid app (or other arbitrary code) and compromise all system integrity. IMO ACL are a waste of time when the entire system is compromised. When a chroot() can be broken from some other flawed or uncontrolled system call and gain root access whats the point?

-Scott

Joseph Sinclair <plug-discuss@stcaz.net>
Sent by: plug-discuss-admin@lists.plug.phoenix.az.us

06/25/2005 01:08 AM

Please respond to
plug-discuss@lists.plug.phoenix.az.us

To	plug-discuss@lists.plug.phoenix.az.us
cc
Subject	Re: ACL, SELinux, and chroot.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SELinux is a modified kernel (and some other parts of the GNU/Linux system) to support better security, including native ACL-like support, mandatory access control (no root user!), and policy-based security enforcement. ACL's (short for Access Control List) are a mechanism whereby multilayered access controls are applied to operating system objects, SELinux actually uses policies, but it works the same, for the most part. In Linux (as with all Unix-like systems) everything is a file, so ACL's are mostly applied to files. Technically, SELinux adds role-based security with mandatory access controls to a Linux system, not ACL's. It's a fine point, but it explains why setting up security is easy in Windows, and a serious PITN on SELinux. SELinux is the "standard" distribution that supports using enhanced security in a GNU/Linux environment, without it, you won't, usually, have anything like ACL's to work with. If you can get ACL's without SELinux, DO SO, SELinux is serious extra work if all you need is multilayered access control. I did a bit more research on this, and there is ACL support available for most Linux filesystems, but the support within the filesystem tools may be lacking, and if the ACL support isn't compiled into the kernel (many distros don't include it), then it's just not available, whether the FS supports it or not. For ACL resources: There's an outdated article on this at (http://www.suse.de/~agruen/acl/linux-acls/online/) Here's the about.com entry for ACL (http://linux.about.com/library/cmd/blcmdl5_acl.htm) Here's an ACL management tool that might help (http://www.ameba6.com/guiaclmanager/) Fedora Core 4 should have ACL's compiled in the kernel and most filesystems. Check if getfacl is present on your system, I don't have a FC4 system to try this on. More on SELinux at (http://www.nsa.gov/selinux/) (Note, this is the US National Security Agency, standard caveats apply). SELinux is generally incorporated into the 2.6 kernels and just not enabled by default. Fedora Core incorporates an SELinux mode, the FAQ for FC3 is at (http://fedora.redhat.com/docs/selinux-faq-fc3/index.html), they haven't put up the FAQ for FC4 yet, but SELinux is definitely there, and considerably improved. SELinux installs tend to take quite a bit of time to get right, so I would plan on a few weeks, at least, to get it all set up before exposing users to it, since any problems with the security policy can completely alienate the user base in negative time. ==Joseph++ Bryan.ONeal@asu.edu wrote: | Ok, I am doing up this test server using FC4 (it was what I had handy) and I | need a brief understanding of the differences between ACL and SELinux before I | spend most of my weekend learning on or the other. | | What I believe I understand so far is that SELinux restricts the rites of | users and processes to the system (like chroot?) however ACL limits users or | processes access to a file. Is this correct? | | Should I focus on learning ACL for file permissions and chroot for users | logins? How about SELinux, will it lock down the logins? | | Just point me down the rite road and I am sure I can find the path.... Then | promptly get lost again and ask for more instruction :) | | | | | ------------- | What do you expect from an accountant? | --------------------------------------------------- | PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us | To subscribe, unsubscribe, or to change you mail settings: | http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCvRETNJtScLfPeRYRArrHAKCvvWREjWdudDGoNebsdWcq38ysYQCeJWqs ch/LrxdfhTnHvP9tf6tlMZ4= =6ToP -----END PGP SIGNATURE----- --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss