Subject: Re: kauth, securelevel, and "run levels"
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Elad Efrat <elad@NetBSD.org>
List: tech-security
Date: 03/26/2006 00:27:30
Steven M. Bellovin wrote:
> Not really. Have a look at
> http://www.usenix.org/publications/library/proceedings/sec02/zhang.html
> -- it describes an automated analysis of the Linux kernel to ensure
> that certain checks were done at the right points.
For this reason, there are no new authorization requests anywhere in the
code (yet).
> I'm less concerned with the efficiency (a concern others have
> expressed) than with the correctness of the larger code.
The entire kauth(9) subsystem, contained within kern/kern_auth.c, is a
little over 800 lines of code, including spacing, comments, and license.
I invite anyone who is interested in the quality of the code, either in
the aspect of efficiency or security, to have a look at it and point out
what seems to be wrong or can be done better.
A link to the latest revision (for now) is:
http://cvsweb.netbsd.org/bsdweb.cgi/~checkout~/src/sys/kern/Attic/kern_auth.c?rev=1.1.2.24&content-type=text/plain
> That's where we disagree. I'm concerned not just with assurance for
> the programmer, but for the administrator of such a system. With the
> new scheme, when you set certain flags, do you have a clear
> understanding what is and isn't possible for an attacker? Securelevel
> can be described in a few paragraphs; you know what you're getting
> (modulo code bugs, but that's not what I'm talking about here).
While this is a valid concern, it is a well known fact in the Unix world
that a root user can very easily screw everything up. For that reason,
while I do understand the need of some people in multiple knobs, my
initial proposal suggested that we have *two* securelevel schemes that
can be used -- the existing scheme (default), and the multi-knobbed
scheme.
Furthermore, I even mentioned (and Thor mentioned it in his reply, too)
that we can ship default sysctl.conf-like files for those who choose
the new scheme with sane defaults.
So, if an admin chooses to, he can go the multi-knobbed way, and either
use or ignore the files we provide. There's so much we can do; I think
good documentation and sane defaults are enough.
-e.
--
Elad Efrat