Re: Just got an interesting project...

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Darrin Chandler
Date:  
To: Main PLUG discussion list
Subject: Re: Just got an interesting project...
If root can maintain the box, root can read the mail. It may be *harder*
for root to read the mail, but it can be done. Otherwise you'd have to
do odd things like boot from CD/floppy to upgrade the kernel, etc. If
you can upgrade the kernel as root you can do *anything*.

I am NOT saying that SELinux (or whatever else) is a bad thing, or that
it's not appropriate in this setting. But realize what security you are
and are not getting.

Seeing those three requirements makes me wonder what the attack trees
and risk analysis look like for this project. Are you at liberty to
share any of that?

On Thu, Oct 05, 2006 at 09:26:21AM -0700, George Toft wrote:
> As I understand SELinux, mandatory access controls and labels, the
> security administrator can set up a security policy that will lock root
> out of everything. Granted that is not very useful, but it is a
> demonstration of separation of privilege, and severely restricts what a
> person can do.
>
> The goal of this requirement is to prevent an attacker who may have
> gained root from reading the mail queue.
>
> George Toft, CISSP, MSIS
> 623-203-1760
>
> "That which does not kill us makes us stronger."
>
>
>
> Darrin Chandler wrote:
> > George Toft wrote:
> >
> >>Requirements:
> >>2. Files owned by vpopmail:vchkpw can only be read by said user:group -
> >>this includes root. We need to lock root (and every other user) out of
> >>the messages.
> >>
> >
> >
> >>#2 sounds like a job for SELinux. Alternatives are welcome :)
> >>
> >
> >
> > You mean keep out junior sysadmins who have root access, or really keep
> > root out? I don't know of any way to really keep root out. Root has
> > access to everything. Period. Crypto can't solve it, unless the system
> > only has access to the cyphertext (if you encrypt/decrypt locally then
> > root can read the plaintext from memory, and/or get the key and read
> > everything). Different schemes have been proposed and implemented so
> > that root can't do this or that but none that I know of really work
> > against a sophisticated attacker, because in *nix "root == the system."
> >
> > If you (wisely) take it as a given that root can compromise your box,
> > then your problem becomes locking down root access. There are pretty
> > effective, well known ways to do that.
> >
> >
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


-- 
Darrin Chandler            |  Phoenix BSD Users Group
   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |
---------------------------------------------------
PLUG-discuss mailing list - 
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss