tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: veriexec



On Saturday, 9 Feb 2008 6:18:54
Elad Efrat <elad%NetBSD.org@localhost> wrote:

> This is not a bug, it's documented behavior. :) See security(8)
> for anexplanation of strict levels.

I did see security(8) but did not exactly understand what was the
meaning of "Access type", since there already were lines about write
access or right to remove a file...

> However, there's still a problem if you did try to look that
> informationup and couldn't find it. Can you please tell me where
> you tried lookingfor it? maybe we should move the strict level
> documentation and otherstuff (like "what's that incorrect access
> message" :) to a veriexec(8)man-page...

> The "access type" is "how the file should be accessed", as
> specified by/etc/signatures. For example, /bin/sh is probably used
> both as a shell(direct execution) and as a shell script
> interpreter (indirectexecution), so it needs both of these flags.

This sounds great, and I now get a better understanding.  Yes I guess
that veriexec(4), veriexecgen(8) and veriexecctl(8) should all link to
security(8) in SEE ALSO as well.  Perhaps that veriexecgen(8) man
page, veriexec(4) or as you said a new veriexec(8) man page, or even
signatures(5) could explain the actual access types and how to specify
them, with appropriate manual page cross-linking in SEE ALSO... 
signatures(5) probably to be considered as most configuration files
are described by section 5 man pages

> A while ago mjf@ wrote a patch for veriexecgen that tries to guess
> allof that stuff (see PR/34773) -- please test if you're
> interested; if youfind it useful I'll just commit it.

This would be most interesting at least for the base system. 
Probably harder to get right without security implications with third
packages however.  We have an /etc/shells which can help, but there
also are a number of possible interpreters...  I'll definitely check
it out some day next week (as well as try strict level 2).

Thanks a lot,
-- 
Matthew Mondor



Home | Main Index | Thread Index | Old Index