similar to: mac questions: stopping root from reading /home && mac_biba stops clean shutdown

FreeBSD 5.1-RELEASE Hi, I'm examining Biba and MLS MAC policies and something is not clear for me. Unless I'm doing something wrong, it seems policies are enforced only for reading, but not writing. 1) Biba I've created test file with biba/127 label: $ echo "Message" > file_biba_127.txt $ setfmac biba/127 file_biba_127.txt $ getfmac file_biba_127.txt

Hello, Are there many people actually using the MAC subsystem in the real world? I have been working to set up a shared hosting webserver and I've stumbled against some limitations with the BIBA policy. In short, it's an excellent model, and can be used succesfully if applications are aware of its existance, but I find it incompatible with the real-world needs in Unix, and,

FreeBSD version: 5.1-RELEASE Hi, I'm quite new to FreeBSD. I've check list archives and read a handbook, but I didn't find solution to my problem and I hope this is not off-topic. I've installed 5.1-RELEASE, enabled ACLs on the filesystems and I wanted to test MAC features. I'm also new to MAC, so perhaps this is some my mistake. When I enable mac_biba or mac_lomac (in

Hello, I've been looking at the different MAC modules available and how they cold help to implement a less insecure than usual shared hosting web server. I've not been able to come up with a suitable configuration, looking at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the following policies could be very useful for such an environment. Have I

(crossposted to freebsd-security just in case someone has to slap me) :) Hello, I'm doing some work with the MAC subsystem in FreeBSD, and I have spotted some errors in the MAC documentation in the handbook. 1- Section 15.14.4. Error in the example dropping users "nagios" and "www" into the insecure class. The example uses the command "pw usermod nagios -L

A bit of a background: I've been experimenting with LOMAC labels on a 9.1-RELEASE test system. To get the dynamic IP assigned to the machine, I tried following recipe: set the label for /sbin/dhclient to lomac/high[low]. This gets the job done, but there were a few problems: first of all, this label does not seem to persist after a reboot - I have not yet found a reasonable explanation

Hi List! Don't see much discussion about MAC here, time to change that! :-) Currently trying to set up a service jail, according to instructions in the handbook[1]. The problem I'm facing is that nullfs does not seem to support multilabeled filesystems, or am i missing something? ls -lZ /usr/js/testjail/var/run/test -rw-r--r-- 1 root wheel biba/equal 0 Feb 6 17:15

I`m folowing the steps on the unofficial Samba how to. I already join my WinXP box to the domain but I can`t login from my WinXP box after restart. There is an error message that sais: Windows can`t connect to the domain because the domain controller is unable or I`m using Samba-2.2.7a on red hat 9.0 with kernel 2.4.20-18.9 this is my smb.conf [global] domain logons = yes

--NoDisclaim-- I cant use an editor to mass update and change usernames as this is a part of an automatic useradd routine written in an ancient legacy application which calls useradd and usermod, we have been using this software for more than 15 years, so its hard for me to argue for a rewrite, so im forced to bend the OS instead it isnt a problem on redhat 8.0, so somewhere in the patches for

Hello Almighty All, I am trying to get the LoMAC module revoke user's privileges. In my test setup, the user with a higher clearance tries to open a lower clearance file for reading. After that the process label of the user's process is checked. As a final test, the user's process tries to write to a file with the higher integrity label. And he succeeds. Please find my test setup

Can someone clear something up for me? [[[ # For apache to read user files, the ruleadd must give # it permissions by default. #### ${CMD} add subject uid 80 object not uid 80 mode rxws; ${CMD} add subject gid 80 object not gid 80 mode rxws; ]]] Doesn't the above mean that an apache user (eg, user-supplied CGI process, PHP script, etc) has the ability to read (and write!) anything in the

Hi all, I need to give a group of users access to a file share that I am sharing via samba. In smb.conf I am using something similar to; [accts] comment = Accounts Dept Share path = /usr/local/share/accounts valid users = @accounts public = no writable = yes printable = no create mask = 0765 The valid users line says who can access this share: "@accounts". I

Hey everyone, I'm hoping someone can point me in the right direction. I'm running a 6.1 box with mac_bsdextended compiled. I've created my ugidfw rules, and all seems well in the universe. I've got rules set up so the web process uid 80 and gid 80 can only read uid 1010 and gid 1010 owned files. When the web server tries to do something else, it throws an error such as:

Dear All, I am a student enrolled google summer code 2007. My job is to write security regression testsuites for FreeBSD under the guidance of my mentor Dr. Robert Watson. Under his encourage, I write following request for comments RFC :-) ////////////////////////////////////////////////////////////// What I plan to do: 1) to test the stability of Mandatory Access Control and Audit

Dear Sirs. It seems to me a never ending story. We run a box with a TYAN Thunder 2500 Dual SMP mainboard, 2GB ECC Tyan certified memory, AMI Enterprise 1600 RAID adapter and additional Intel 1000/Pro server type (64 bit) GBit LAN NIC. With FreeBSD 4.8 this was stable, but to achive this state was really hard! It is a story similar to that what happend when we changed towards FreeBSD

Hello mailing list! I have been working with XCP a little bit, and I have the impression that this distro is insecure. First, it does not look like update repositories are enabled inside /etc/yum.repos.d, although I''m from an apt background so I may be misinterpreting that. Where will my security updates come from? Next, it appears that the root password hash is directly stored inside