Results 1 to 7 of 7

Thread: beyond root

  1. #1
    Join Date
    Oct 2001

    beyond root

    i was thinking last night........ i was working on getting the SELinux that the NSA puts out to try it out and see if its got anything that might be usefull to implement...... what i was wondering was if there was some kind of...... hmmmm i know about root and all, but is there some way to make files accessable only to a spacific user, kinda like a higher form of root, nobody can view it, not even root, not even anyone in the same classification as you, just you. you are the only one that has control over that file. nobody else.

    i dont think that this exists but i was just curious if it did or not and how i would go about trying to implement it?

  2. #2
    Join Date
    Mar 2002
    look at a company called argus - they make a product called pitbull LX. This product was originally designed and intended for use in large financial institutions and government, however Argus has developed a product that can be used in the enterprise space.

    From their website:

    Isolates processes from each other and from each other's files unless explicitly allowed by the security policy, regardless of User or Group ID.

    Root Control
    Root is all-powerful on a typical Unix system. With PitBull it is possible to restrict this user as a regular user.

    Domain Based Access Control
    Unique form of Mandatory Access Controls able to support 4 types of access control : user, file, network, and process.

    File Security Flags
    Security flags can be placed on files to dictate specific behaviors. Flags are a flexible and easy tool to implement system-wide security policies and restrict superuser privileges

    Process Security Flags
    File execution flags define process interaction, including whether a process may act on a file or network object or whether a process should be subjected to additional pre-defined restrictions. They provide a simple, flexible method to implement system-wide security policies.

    more at their website - www.argus-systems.com

    freedom is a road seldom traveled by the multitude

    freedom aint free

  3. #3
    LogOff: Well, such a thing is very easy to implement in kernel space (any one can patch open() to only allow certain users to read certain files with certain properties). Go to phrack.com, they have various articles on dynamically patching the Linux kernel ("Weaking the Linux Kernel").

  4. #4
    Join Date
    Oct 2001
    ok, pitbull looks like a bit on the expensive side and seems only to be used for lessening roots access, i havent looked at phrack yet tho.

    any one know about SELinux? the kernal patch the the NSA puts out? just like a quick summary? whats its got over the other 18 kernals, along these lines spacificaly, or any others?

  5. #5
    Senior Member
    Join Date
    Apr 2002
    I think you are looking in to something called "Trusted UN*X" (both Sun and HP have versions, as I'm sure do others). There are a few versions of this and, as others have pointed out, Argus makes a /great/ product called Pitbull -- it's completely orange-book compliant (B2 level security) and, well... "root just ain't root anymore." For a long time after install, it seems you can't do much on that box without "blowing the lid" on it.

    I believe there are also "free" tools out there to help you build kernels and systems such that they're C2 or C1 compliant... don't recall any that take it to B-level, however.

    Argus/Pitbull supports complete compatmentalization of users, processes and everything in-between. It really is an awesome product - but it is not for the feignt of heart.
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  6. #6
    Join Date
    Oct 2001
    awe hell, orange book if the one that......... does it..... damn it s been to long sence i read it

  7. #7
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    any one know about SELinux? the kernal patch the the NSA puts out? just like a quick summary? whats its got over the other 18 kernals, along these lines spacificaly, or any others?
    LogOff -- From what I understand, SELinux has no root account -- that's probably the biggest difference. Here's the link to it:

    /* You are not expected to understand this. */

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts