[NT ACLS] Using the security.* namespace for NTACL considered improper
Stefan (metze) Metzmacher
metze at samba.org
Wed Jan 20 09:00:01 MST 2010
simo schrieb:
> On Wed, 2010-01-20 at 00:31 -0800, Jeremy Allison wrote:
>> On Wed, Jan 20, 2010 at 09:19:28AM +0100, Stefan (metze) Metzmacher wrote:
>>> simo schrieb:
>>>> Tridge, Jeremy,
>>>> I was following discussions on #samba-technical today and it came up
>>>> that we have started using security.NTACL as the namespace where to
>>>> store NT ACLs.
>>>>
>>>> Talking with Christoph Hellwig he said that security.* should *not* be
>>>> used as it is reserved for LSM modules (like SeLinux).
>>>>
>>>> Looking at man 5 attr this is briefly hinted indeed, and after further
>>>> discussion it became clear that we should used the trusted.* namespace
>>>> instead as this is what the man page says about it:
>>>>
>>>> Trusted extended attributes are visible and accessible only
>>>> to processes that have the CAP_SYS_ADMIN capability (the super
>>>> user usually has this capability). Attributes in this class
>>>> are used to implement mechanisms in user space (i.e., outside
>>>> the kernel) which keep information in extended attributes to
>>>> which ordinary processes should not have access.
>>>>
>>>>
>>>> I think we should comply, and start moving NTACL to from security.NTACL
>>>> to trusted.NTACL as soon as possible, before it get widely used.
>>>>
>>>> What do you think ?
>>> With trusted.* we need a become_root() each time we want to read the
>>> security descriptor.
>> We have to do that with security.* also - in fact we
>> already do :-).
>
> All we need for either security.* or trusted.* is SYS_CAP_ADMIN, so we
> could avoid become_root() if letting the process retain SYS_CAP_ADMIN
> does not have other unintended consequences.
Extended security attributes
The security attribute namespace is used by kernel security
modules, such as Security Enhanced
Linux. Read and write access permissions to security attributes
depend on the policy implemented
for each security attribute by the security module. When no
security module is loaded, all pro‐
cesses have read access to extended security attributes, and
write access is limited to processes
that have the CAP_SYS_ADMIN capability.
CAP_SYS_ADMIN is only needed for writing not reading and that is the
difference between security. and trusted.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100120/cd18e5b2/attachment.pgp>
More information about the samba-technical
mailing list