Just got an interesting project...
George Toft
george at georgetoft.com
Thu Oct 5 09:26:21 MST 2006
As I understand SELinux, mandatory access controls and labels, the
security administrator can set up a security policy that will lock root
out of everything. Granted that is not very useful, but it is a
demonstration of separation of privilege, and severely restricts what a
person can do.
The goal of this requirement is to prevent an attacker who may have
gained root from reading the mail queue.
George Toft, CISSP, MSIS
623-203-1760
"That which does not kill us makes us stronger."
Darrin Chandler wrote:
> George Toft wrote:
>
>>Requirements:
>>2. Files owned by vpopmail:vchkpw can only be read by said user:group -
>>this includes root. We need to lock root (and every other user) out of
>>the messages.
>>
>
>
>>#2 sounds like a job for SELinux. Alternatives are welcome :)
>>
>
>
> You mean keep out junior sysadmins who have root access, or really keep
> root out? I don't know of any way to really keep root out. Root has
> access to everything. Period. Crypto can't solve it, unless the system
> only has access to the cyphertext (if you encrypt/decrypt locally then
> root can read the plaintext from memory, and/or get the key and read
> everything). Different schemes have been proposed and implemented so
> that root can't do this or that but none that I know of really work
> against a sophisticated attacker, because in *nix "root == the system."
>
> If you (wisely) take it as a given that root can compromise your box,
> then your problem becomes locking down root access. There are pretty
> effective, well known ways to do that.
>
>
More information about the PLUG-discuss
mailing list