More PATH fallout. Who decided this was a good idea?

Callum Lerwick seg at haxxed.com
Sat Dec 6 18:36:50 UTC 2008


On Sat, 2008-12-06 at 13:16 -0500, Steve Grubb wrote:
> On Saturday 06 December 2008 13:02:39 Callum Lerwick wrote:
> > > No, it has more to do with the fact that we have to audit all attempts to
> > > modify trusted databases - in this case, shadow. No one can use these
> > > tools since they do not have the permissions required to be successful.
> > > So, we remove the ability to use these tools so that we don't have to
> > > audit it.
> >
> > So "cat >> /etc/shadow" is audited?
> 
> Of course.

So we *are* auditing low level filesystem calls? So then what, other
than security theater, does auditing execution of usermod gain us?

> > > IOW, if we open the permissions, we need to make these become setuid root
> > > so that we send audit events saying they failed.
> > >
> > > > I'm just curious what added security you really get.
> > >
> > > Its not so much a security thing as much as its a certification thing. An
> > > ordinary user cannot possibly use these tools since they do not have the
> > > requisite permissions.
> >
> > Yet "vi /etc/shadow" is okay? Is that audited?
> 
> Yep.
> 
> > Its sounding like the certification board's idea of "attempting to modify
> > trusted databases" is far detached from reality.
> 
> No its actually quite good. By the way, we also get yelled at for not having 
> Fedora locked down enough at install time. Its a constant tug-of-war between 
> loosen it up and tighten it down.

If you consider "no internet" quite good. That may work for NSA spooks
but I'm going to go out on a limb and say it has absolutely no value for
the vast, vast majority of Fedora users.

> > Unix security happens at the syscall layer and given the focus on the
> > filesystem, at the filesystem layer. If you're not auditing *every*
> > attempt to open() /etc/shadow at the syscall layer it sounds to me like
> > you are doing it wrong.
> 
> Nope. We are doing it right or we wouldn't have achieved LSPP.

I would note that my "doing it wrong" is then ultimately directed at the
LSPP. Rightly following a wrong authority doesn't make things right
unless you're a suit with checkboxes to tick.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20081206/48bcf984/attachment.bin 


More information about the devel mailing list