User: Password:
Subscribe / Log in / New account


Rule set based access control

SELinux has become, to many, the mechanism for high-security Linux deployments. The SELinux framework is considered sufficiently powerful, flexible, and universal that some developers have contemplated removing the Linux security module (LSM) interface altogether. When SELinux does everything, why have hooks for anything else? The fact of the matter, however, is that SELinux is not the only high-security approach out there. On September 27, version 1.2.5 of the Rule Set Based Access Control (RSBAC) patch was released. RSBAC has been around for several years, but it has never quite achieved the prominence of SELinux.

Like SELinux, RSBAC inserts hooks throughout the kernel source. RSBAC does not use the LSM framework, however. This page explains why; in short, the RSBAC developer (Amon Ott) does not like how LSM exposes kernel internals to security modules, and the LSM hooks are not nearly extensive enough for RSBAC. In fact, RSBAC adds hooks in many places (individual device drivers, for example) where LSM does not tread. RSBAC hooks can also change system state in ways not allowed with the LSM framework.

With the hooks in place, RSBAC allows for several different access control regimes, all of which can be mixed and matched as desired. Available options include:

  • Authenticated user: essentially a list of user IDs which may be assumed by each process on the system. This module is required by most other RSBAC security schemes.

  • User management: a replacement for the PAM and shadow mechanisms which moves most of the user and group management tasks into the kernel.

  • Role compatibility: assigns roles to users and programs, and ensures that they match at run time.

  • Access control lists: a variant of file ACLs which can take additional RSBAC features (such as roles) into account.

  • Mandatory access control: assigns security levels to processes and objects, and prevents access between different levels.

  • Dazuko: a specialized interface for virus scanning applications. Dazuko creates a special purpose device which can be used to intercept file accesses; malware scans can then be performed before the access is allowed to succeed. There is a ClamAV interface to Dazuko.

There are several other models available, see the RSBAC models page for the full list. One thing that should be clear is that the RSBAC framework has been used to implement a wide variety of access control mechanisms. The project's long history suggests a stable user base, and RSBAC has been adopted by some distributions (including the Adamantix (formerly "Trusted Debian") and Hardened Gentoo projects). The non-LSM approach seems likely to keep RSBAC out of the mainline kernel indefinitely (nobody is even proposing merging it), but RSBAC appears to be a viable option regardless.

Comments (2 posted)

Brief items

RHEL 5 going for Common Criteria EAL 4 rating

Red Hat (along with IBM and Trusted Computer Solutions) has announced that the upcoming release of Red Hat Enterprise Linux is being evaluated for Common Criteria EAL 4 certification. "This CCEVS evaluation means Red Hat Enterprise Linux will reach a level of security previously achieved by only a handful of trusted operating systems. Red Hat Enterprise Linux is now positioned to provide best-of-breed security capabilities for commercial operating systems, offering the government, as well as businesses, unprecedented choice for security applications."

Comments (19 posted)

PwnZilla 5 Exploits IDN Link Buffer Overflow (MozillaZine)

MozillaZine reports that a recently developed Firefox IDN link buffer overflow vulnerability exploit has been developed. "The PwnZilla 5 code takes advantage of the international domain name (IDN) link buffer overflow flaw, details of which were published earlier this month. The weblog post says that the exploit code "could let attackers take complete control over computers cruising the Web with unpatched versions of the Firefox Internet browser". Previous public exploits for the vulnerability have been basic proof-of-concepts that simply crash the browser."

Comments (2 posted)

New vulnerabilities

courier: missing input sanitizing

Package(s):courier CVE #(s):CAN-2005-2820
Created:September 26, 2005 Updated:October 11, 2005
Description: Jakob Balle discovered that with "Conditional Comments" in Internet Explorer it is possible to hide javascript code in comments that will be executed when the browser views a malicious email via sqwebmail. Successful exploitation requires that the user is using Internet Explorer.
Ubuntu USN-201-1 courier 2005-10-11
Debian DSA-820-1 courier 2005-09-24

Comments (none posted)

cups: denial of service

Package(s):cups CVE #(s):CAN-2005-2874
Created:September 22, 2005 Updated:September 28, 2005
Description: CUPS has a vulnerability that can be triggered by processing corrupted HTTP requests. A remote user can use this to cause a denial of service.
Red Hat RHSA-2005:772-01 CUPS 2005-09-27
Fedora FEDORA-2005-908 cups 2005-09-22

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704 CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968
Created:September 22, 2005 Updated:February 15, 2006
Description: The Firefox browser has multiple vulnerabilities including problems with XBM image file processing, Unicode sequence processing, XMLHttp requests, malicious XBL binding, a JavaScript engine buffer overflow, about: pages, opening of new windows, and command line URL processing.
Slackware SSA:2006-045-02 firefox 2006-02-15
Fedora-Legacy FLSA:168375 mozilla 2006-01-09
Ubuntu USN-200-1 mozilla-thunderbird 2005-10-11
Ubuntu USN-155-3 package to fix several 2005-10-04
Debian DSA-838-1 mozilla-firefox 2005-10-02
Gentoo GLSA 200509-11:02 mozilla 2005-09-18
SuSE SUSE-SA:2005:058 mozilla,MozillaFirefox 2005-09-30
Mandriva MDKSA-2005:170 mozilla 2005-09-26
Mandriva MDKSA-2005:169 mozilla-firefox 2005-09-26
Slackware SSA:2005-269-01 mozilla 2005-09-26
Fedora FEDORA-2005-934 epiphany 2005-09-26
Fedora FEDORA-2005-933 devhelp 2005-09-26
Fedora FEDORA-2005-932 mozilla 2005-09-26
Fedora FEDORA-2005-931 firefox 2005-09-26
Fedora FEDORA-2005-930 yelp 2005-09-26
Fedora FEDORA-2005-929 epiphany 2005-09-26
Fedora FEDORA-2005-928 devhelp 2005-09-26
Fedora FEDORA-2005-927 mozilla 2005-09-26
Fedora FEDORA-2005-926 firefox 2005-09-26
Ubuntu USN-186-2 mozilla-firefox 2005-09-25
Ubuntu USN-186-1 mozilla, mozilla-firefox 2005-09-23
Red Hat RHSA-2005:789-01 mozilla 2005-09-22
Red Hat RHSA-2005:785-01 firefox 2005-09-22

Comments (none posted)

HelixPlayer: arbitrary code execution

Package(s):HelixPlayer CVE #(s):CAN-2005-2710
Created:September 27, 2005 Updated:October 10, 2005
Description: A format string bug was discovered in the way HelixPlayer processes RealPix (.rp) files. It is possible for a malformed RealPix file to execute arbitrary code as the user running HelixPlayer.
SuSE SUSE-SA:2005:059 RealPlayer 2005-10-10
Gentoo 200510-07 realplayer 2005-10-07
Debian DSA-826-1 helix-player 2005-09-29
Fedora FEDORA-2005-941 HelixPlayer 2005-09-27
Fedora FEDORA-2005-940 HelixPlayer 2005-09-27
Red Hat RHSA-2005:762-02 RealPlayer 2005-09-27
Red Hat RHSA-2005:788-01 HelixPlayer 2005-09-27

Comments (none posted)

kernel: buffer overflow

Package(s):kernel CVE #(s):CAN-2005-2490 CAN-2005-2492
Created:September 22, 2005 Updated:October 5, 2005
Description: The Linux kernel has a stack-based buffer overflow problem in the sendmsg function. Local users may use this to execute arbitrary code.
Red Hat RHSA-2005:514-01 kernel 2005-10-05
Mandriva MDKSA-2005:171 kernel 2005-10-03
Fedora FEDORA-2005-906 kernel 2005-09-22
Fedora FEDORA-2005-905 kernel 2005-09-22

Comments (none posted)

kernel: DoS vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-1767 CAN-2005-3044
Created:September 26, 2005 Updated:September 28, 2005
Description: A Denial of Service vulnerability was detected in the stack segment fault handler. A local attacker could exploit this by causing stack fault exceptions under special circumstances (scheduling), which lead to a kernel crash. (CAN-2005-1767)

Vasiliy Averin discovered a Denial of Service vulnerability in the "tiocgdev" ioctl call and in the "routing_ioctl" function. By calling fget() and fput() in special ways, a local attacker could exploit this to destroy file descriptor structures and crash the kernel. (CAN-2005-3044)

Red Hat RHSA-2005:663-01 kernel 2005-09-28
Ubuntu USN-187-1 linux-source-2.6.10, linux-source- 2005-09-25

Comments (none posted)

opera: script insertion attacks

Package(s):opera CVE #(s):CAN-2005-3006 CAN-2005-3007
Created:September 26, 2005 Updated:September 28, 2005
Description: Attached files are opened without any warnings directly from the user's cache directory. This can be exploited to execute arbitrary Javascript in context of "file://". Normally, filename extensions are determined by the "Content-Type" in Opera Mail. However, by appending an additional '.' to the end of a filename, an HTML file could be spoofed to be e.g. "image.jpg.". These two vulnerabilities combined may be exploited to conduct script insertion attacks if the user chooses to view an attachment named e.g. "image.jpg." e.g. resulting in disclosure of local files. These are fixed in Opera 8.50.
SuSE SUSE-SA:2005:057 opera 2005-09-26

Comments (none posted)

qt: buffer overflow in zlib

Package(s):qt CVE #(s):
Created:September 26, 2005 Updated:September 28, 2005
Description: Qt links to a bundled vulnerable version of zlib when emerged with the zlib USE-flag disabled. This may lead to a buffer overflow. By creating a specially crafted compressed data stream, attackers can overwrite data structures for applications that use Qt, resulting in a Denial of Service or potentially arbitrary code execution.
Gentoo 200509-18 qt 2005-09-26

Comments (none posted)

webmin, usermin: remote code execution through PAM authentication

Package(s):webmin usermin CVE #(s):CAN-2005-3042
Created:September 26, 2005 Updated:October 7, 2005
Description: Keigo Yamazaki discovered that the webserver, used in both Webmin and Usermin, does not properly validate authentication credentials before sending them to the PAM (Pluggable Authentication Modules) authentication process. The default configuration shipped with Gentoo does not enable the "full PAM conversations" option and is therefore unaffected by this flaw.
Mandriva MDKSA-2005:176 webmin 2005-10-07
Gentoo 200509-17 webmin 2005-09-24

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds