[NT ACLS] Using the security.* namespace for NTACL considered improper

Stefan (metze) Metzmacher metze at samba.org
Wed Jan 20 09:00:01 MST 2010

simo schrieb:
> On Wed, 2010-01-20 at 00:31 -0800, Jeremy Allison wrote:
>> On Wed, Jan 20, 2010 at 09:19:28AM +0100, Stefan (metze) Metzmacher wrote:
>>> simo schrieb:
>>>> Tridge, Jeremy,
>>>> I was following discussions on #samba-technical today and it came up
>>>> that we have started using security.NTACL as the namespace where to
>>>> store NT ACLs.
>>>> Talking with Christoph Hellwig he said that security.* should *not* be
>>>> used as it is reserved for LSM modules (like SeLinux).
>>>> Looking at man 5 attr this is briefly hinted indeed, and after further
>>>> discussion it became clear that we should used the trusted.* namespace
>>>> instead as this is what the man page says about it:
>>>>         Trusted  extended  attributes  are  visible and accessible only
>>>>         to processes that have the CAP_SYS_ADMIN capability (the super
>>>>         user  usually has  this  capability).  Attributes in this class
>>>>         are used to implement mechanisms in user space (i.e., outside
>>>>         the kernel) which keep information in extended attributes to
>>>>         which ordinary processes should not have access.
>>>> I think we should comply, and start moving NTACL to from security.NTACL
>>>> to trusted.NTACL as soon as possible, before it get widely used.
>>>> What do you think ?
>>> With trusted.* we need a become_root() each time we want to read the
>>> security descriptor.
>> We have to do that with security.* also - in fact we
>> already do :-).
> All we need for either security.* or trusted.* is SYS_CAP_ADMIN, so we
> could avoid become_root() if letting the process retain SYS_CAP_ADMIN
> does not have other unintended consequences.

   Extended security attributes
       The  security  attribute  namespace  is  used  by kernel security
modules, such as Security Enhanced
       Linux.  Read and write access permissions to security attributes
depend on  the  policy  implemented
       for  each  security  attribute  by the security module.  When no
security module is loaded, all pro‐
       cesses have read access to extended security attributes, and
write access is  limited  to  processes
       that have the CAP_SYS_ADMIN capability.

CAP_SYS_ADMIN is only needed for writing not reading and that is the
difference between security. and trusted.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100120/cd18e5b2/attachment.pgp>

More information about the samba-technical mailing list