Skip top menus
National Security Agency and Central Security Service with agency logos.NSA/CSS Memorial Wall
Home    About NSA    Research    Business    Careers    Public Info    History
Introduction to Research    Security-Enhanced Linux    Information Assurance Research    Technology Transfer    Publications    Related Links

>>SELinux Mailing List: by thread

Search
What's new?
Contents
Overview
What's New
Frequently Asked Questions
Background
Documentation
License
Download
Participating
Mail List
Archive Summary
Archive by Thread
Archive by Author
Archive by Date
Archive by Subject
Remaining Work
Contributors
Related Work
Press Releases
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
From: Russell Coker <russell_at_coker.com.au>
subject: su etc
Date: Sat, 22 Dec 2001 22:18:03 +0100
  • This message: [ Message body ]
  • Next message: Russell Coker: "automake for Debian packages"
  • Previous message: Stephen Smalley: "[PATCH] avc_enforcing (Was: Re: Question)"
  • Next in thread: Stephen Smalley: "Re: su etc"
  • Reply: Stephen Smalley: "Re: su etc"


At the moment I'm trying to compile the shadow password programs from Julianne Frances Haugh (as used in Debian for /bin/login and friends) with SE support.

I've got login almost working (I think) but haven't tested it yet (anyone who's interested in seeing what I'm doing please contact me off the list - I'm not publishing untested patches).

I'm now thinking about what to do with su. Should su change the security of the tty with chsid() before spawning a new shell and then change it back afterwards as login does? Or is there some difference in the way that su and login work that requires some different code?

-- 

http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

--

You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

From: Stephen Smalley <sds_at_tislabs.com>
subject: Re: su etc
Date: Thu, 27 Dec 2001 09:07:35 -0500 (EST)
  • This message: [ Message body ]
  • Next message: Filip Brcic: "Happy New Year!!! --- Srecna Nova Godina!!!"
  • Previous message: Russell Coker: "Debian packages of SE Linux update"
  • In reply to: Russell Coker: "su etc"

On Sat, 22 Dec 2001, Russell Coker wrote:

> I'm now thinking about what to do with su. Should su change the security of
> the tty with chsid() before spawning a new shell and then change it back
> afterwards as login does? Or is there some difference in the way that su and
> login work that requires some different code?

We intentionally chose to not modify the su program for SELinux. Hence, su only changes the Linux identity attributes, not the SELinux security context. su is most commonly used to obtain Linux capabilities for administrative tasks by becoming the superuser, but this merely reflects a change in privilege, not a real change in the user who is performing the tasks. We would prefer to leave the SELinux user identity unmodified for user accountability in this case. 

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT

Information Assurance | Signals & Intelligence        Links | Accessibility | Privacy & Security