1. Privacy Model Example
This example is described in a separate document.
Administration Goal
Protect all executables, e.g. below /sbin, against tampering
Common steps for all models
- Identify all directories containing executables and all single executables in other
directories. As long as the most important directories, e.g. /sbin, /bin, /usr/sbin,
/usr/bin, are included, you can find the rest with trial and error later.
FF solution
- Set ff_flags search_only and read_only for all identified directories. The flag
search_only means that you can only access objects in a directory, if you know the exact
path, and that you are not allowed to change anything about the directory itself.
- Set read_only for all identified separate executables. The flag read_only means that the
directory with all its subobjects is set to read-only.
- If you need to read the directory contents, remove the search_only flag. The read_only
flag is still applied.
- If a directory contains binary executables only and no scripts, you can set the flag
execute_only for it. This means that all files below may only be executed, but not read
(copied) or anything else.
RC solution
- Create a new FD type 'Executables'.
- Give all roles rights SEARCH and EXECUTE for this type.
- If you need to READ_OPEN the files, e.g. scripts, add rights READ_OPEN and CLOSE.
- For filename completion in the shell, you need READ right, possibly also GET_STATUS_DATA
or GET_PERMISSIONS_DATA.
- Set the new FD type 'Executables' for all identified directories and files.
- If you want to allow executable modification or installation for one role, e.g.
'Installer', just add the necessary rights to type 'Executables' for this role.
ACL solution
- Set the inheritance mask to SEARCH and EXECUTE only for all identified directories and
files.
- If you need to READ_OPEN the files, e.g. scripts, add rights READ_OPEN and CLOSE.
- For filename completion in the shell, you need READ right, possibly also GET_STATUS_DATA
or GET_PERMISSIONS_DATA.
- As the SUPERVISOR right includes all other rights and can (usually) not be masked out,
all subjects with SUPERVISOR on a higher level still have full access. In the standard
setup, only user 400 (Security Officer etc.) has this right to the FD default ACL (and
thus to all files and directories).
- If you want to allow executable modification or installation for a subject, e.g. group
'Installers', just add an entry for this subject with the necessary rights to the
directory or file ACL.
- If you want to be sure not to miss such entries later, you can find all ACL entries with
acl_tlist -r.
Administration Goals
- Protect against execution of uncontrolled files or libraries
Common steps for all models
- Identify all directories containing executables and all single executables in other
directories. Also, identify all directories containing dynamically linked libraries and
all such single library files in other directories. As long as the most important
directories, e.g. /sbin, /bin, /usr/sbin, /usr/bin, and files, e.g. /lib/*.so* and
/usr/lib/*.so* are included, you can find the rest with trial and error later.
- Attention: If you miss an important directory or file during identification or attribute
setting, the system might become unaccessible, because important programs cannot be
executed or important libraries cannot be mmapped for execution!
FF solution
- Remove add_inherited flag for all identified directories.
- Remove add_inherited flag for all identified separate executables and libraries
- Set no_execute flag on top dir
- Without add_inherited, the no_execute flag is not inherited and thus not applied to the
identified dirs and separate executables
RC solution
- Perform steps 1-5 from RC solution 2. Make a similar setup for library directories and
files with another type 'Libraries'.
- Remove EXECUTE and MAP_EXEC rights to all types other than 'Executables' and 'Libraries'
from all roles. For setup checking, remove the right for your Role Admin last and first
try other roles.
ACL solution
- Grant rights SEARCH and EXECUTE to group 0 ('Everyone') for all identified directories
and files.
- If you need to READ_OPEN the files, e.g. libraries or scripts, add rights READ_OPEN and
CLOSE.
- For filename completion in the shell, you need READ right, possibly also GET_STATUS_DATA
or GET_PERMISSIONS_DATA.
- Remove right EXECUTE from the inheritance mask of the root dir / or from all entries in
the default FD acl.
- If you have individual ACL entries at any directory or file other than the identified
ones, revoke EXECUTE right from them. You can find all ACL entries with acl_tlist -r.
- As the SUPERVISOR right includes all other rights and can (usually) not be masked out,
all subjects with SUPERVISOR still have full access. In the standard setup, only user 400
(Security Officer etc.) has this right to the FD default ACL (and thus to all files, fifos
and directories).
Questions,
tips, etc.
28-May-02, -ao