Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: newrole - adding capabilities for polyinstantiation
From: Stephen Smalley <sds_at_tycho.nsa.gov>
Date: Wed, 04 Oct 2006 10:52:12 -0400
That is not correct. File system operations in Linux are based on the fsuid, which shadows the euid unless explicitly set.
> What we would need to do is change the real uid to be, say, root in If you delay the setresuid call until after pam_namespace runs, then files created by it should be created in uid 0 by default, and thus not immediately accessible to the caller.
> There are a few concerns which have arisen due to this polyinstantiation For some users, yes. But this will vary depending on user need.
> If making newrole to be a setuid root program is considered -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Wed 4 Oct 2006 - 10:51:12 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |