On Mon, Nov 12, 2007 at 03:50:59PM -0800, Crispin Cowan wrote: > Dr. David Alan Gilbert wrote: > > * Crispin Cowan ([email protected]) wrote: > > > >> I mostly don't see this as a serious limitation, because almost everyone > >> has their own workstation, and thus has root on that workstation. There > >> are 2 major exceptions: > >> > >> * Schools, where the "workstations" are thin client X terminals and > >> everyone is logged into a giant shared machine. Sorry, AppArmor is > >> not a good choice for that environment, but it is a pretty scarce > >> environment. > >> * Enterprises, where workers get their own workstation, but they > >> don't get root. Well, the reason the worker doesn't get root is > >> the enterprise doesn't trust them with it, and so not letting them > >> edit security policy is probably a good idea. > >> > > I don't actually see your distinction here between those two environments; > > why does it matter if there is one non-priveliged user or many? > > > Because it is easier to solve if there is only one non-privileged user: > you just give them privilege (fun with chmod and sudo) to edit the > system policies, and you're done (assuming you are happy allowing the > non-privileged user to edit policy at all). > > If there are lots of non-privileged users sharing a computer, then I > submit that solutions are either insecure, intractable, or purely > restrictive. > yep, it needs to be purely restrictive > >> Can you explain why you want a non-privileged user to be able to edit > >> policy? I would like to better understand the problem here. > >> > > I think it might depend on how strict the users starting point is; > > you could say: > > 1 This document editor can read and write any part of the users home > > directory other than the . files. > > > > or you could say: > > 2 This document editor can read any files but only write to the > > 'Documents directory'. > > > > If the adminisrator set something up with (2) as the starting point it > > would seem reasonable for the user to be able to add the ability to edit > > documents in extra directories for their style of organising documents > > they work on; but they would be restricted in what they could add > > so that they couldn't add the ability to write to their settings > > files. > > > Ok, I can see where that would be useful in theory. But solving it is > VERY hard in practice, and AppArmor is not attempting to address this > problem of user extensibility of mandatory access controls. > Well at least its not on Crispin's list. It is something I have been interested in for a long time. I can't say when or it will happen as I need to find some, ever elusive, spare time to work on it.
Attachment:
pgpkbXQHHI2Fq.pgp
Description: PGP signature
- References:
- AppArmor Security Goal
- From: Crispin Cowan <[email protected]>
- Re: AppArmor Security Goal
- From: "Dr. David Alan Gilbert" <[email protected]>
- Re: AppArmor Security Goal
- From: Crispin Cowan <[email protected]>
- Re: AppArmor Security Goal
- From: "Dr. David Alan Gilbert" <[email protected]>
- Re: AppArmor Security Goal
- From: Crispin Cowan <[email protected]>
- Re: AppArmor Security Goal
- From: "Dr. David Alan Gilbert" <[email protected]>
- Re: AppArmor Security Goal
- From: Crispin Cowan <[email protected]>
- AppArmor Security Goal
- Prev by Date: Re: 2.6.24-rc2: Reported regressions from 2.6.23 (updated)
- Next by Date: [PATCH] NFSD: fix wrong mnt_writer count in rename (MMOTM 2007-11-10-19-05)
- Previous by thread: Re: AppArmor Security Goal
- Next by thread: Re: AppArmor Security Goal
- Index(es):
 |