LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Trustees Linux

Trustees Linux

Posted Nov 18, 2004 2:42 UTC (Thu) by aeruder (guest, #22597)
Parent article: Trustees Linux

Just a small comment on the CAP_DAC_OVERRIDE capability. Unfortunately linux security modules cannot actually -add- permissions. If unix permissions fail, then the security module inode_permission is not even consulted. Its a hack, but what can I do?

(Log in to post comments)

Trustees Linux

Posted Nov 19, 2004 23:11 UTC (Fri) by smeg4brains (guest, #207) [Link]

We use trustees on our current file server and have really liked it. It's nice that there's one central location that we can use to audit the permissions of our entire file server. They're quick, they use virtually no disk space aside from the text file that stores the permissions (the same can't be said for acl's and their extended attributes), they're simple to install and use, and they work no matter what filesystem you're using.

The downsides: The documentation that has historically existed for them has been not so hot, and I've never had much luck trying to get answers from the original developer (even when my company was hoping to pay him to extend part of his software). It's really great to see someone else working on them. On our old fileserver, the "clear" attribute either never worked properly or reliably, or it was never intended to do what we thought it was. It was never possible for us to tell, since the documentation never really made it clear at all.

I think the CAP_DAC_OVERRIDE hack is just fine. I'm sure there's no other way to add permission capabilities. The only other option for a setup like ours would be to chmod -R 777 *, and then use trustees to remove permissions again, but then we always end up running into problems where some files got put there later, but without 777 and then someone can't read it. It's nice actually to have the permissions be dependant on a files location in the tree.

One last downside. At least on our version of trustees (and I'm guessing all versions), if you try to grant full rights to a tree, but then have one subdirectory that has tighter permissions, then you end up with no *real* security at all. A person can go up to a higher directory, rename the directory to something else, and the trustee permissions no longer apply. It would be nice if there were some check on directory renaming that could catch this sort of thing and prevent the rename. Maybe a bit that gets flipped on the dentry that marks it as dirty meaning that there is a trustee setting somewhere below, and the directory rename could be denied.

Trustees Linux

Posted Nov 24, 2004 2:51 UTC (Wed) by aeruder (guest, #22597) [Link]

I had not thought of this situation. I did do a some work in this one
preventing a similar thing with making hard links. I will see what can be
done about this situation as well.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds