Re: Errors in the FreeBSD handbook (MAC framework)

On Tue, 9 May 2006 18:22:05 +0200
Borja Marcos <borjamar@xxxxxxxxxx> wrote:

(crossposted to freebsd-security just in case someone has to slap me) :)


Hello,

I'm doing some work with the MAC subsystem in FreeBSD, and I have
spotted some errors in the MAC documentation in the handbook.

1- Section 15.14.4. Error in the example dropping users "nagios" and
"www" into the insecure class. The example uses the command "pw
usermod nagios -L default" when it should obviously be "pw usermod
nagios -L insecure". The same holds for the "www" user.

2- Section 15.14.6.

The example script launches the commands "apachectl", and "/usr/local/
etc/rc.d/nagios.sh" with the label biba/10, but they should be
launched with the label biba/10(10-10).

I've defined the "default" login class with a label of "biba/high". I
login at the machine as root, and...

-----
# getpmac
biba/high(low-high)
# setpmac biba/low getpmac
biba/low(low-high)
# setpmac biba/low setpmac biba/high getpmac
biba/high(low-high)


So, if I launch a process with a "setpmac biba/low", it actually
inherits a label of "biba/low(high-low)", being able to recover its
biba/high setting, something that wouldn't be desirable. However,
launching it with a label of "biba/low(low-low)" effectively
downgrades the process forever

# setpmac "biba/low(low-low)" getpmac
biba/low(low-low)
# setpmac "biba/low(low-low)" setpmac biba/high getpmac
biba/high: Operation not permitted

Yea, I'm still in the process of doing updates to this chapter,
sorry for the current issues. :(

--
Tom Rhodes
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"