volviendo a la realidad

Jue Oct 27 10:06:58 CLST 2005

un extracto...

In BSD the access to filesystem depends on additional global flag
called a securelevel. It is a one-way street: as soon as a securelevel
set is cannot be decremented  At higher securelevels, not even root,
can access the disk directly, which is a classic method of bypassing
all other protection mechanism as long as one got root access.  In
some sense securelevels are similar to runlevels.

OpenBSD like Solaris 10 has a role-based system call access manager. 
Like Solaris 10 RBAC, the OpenBSD systrace policies define which users
and programs can access which files and devices in a manner completely
independent of UNIX permissions. This approach can help to diminishes
risks associated with poorly written or exploitable applications.
While defining such policies is not a simple task either in Solaris or
OpenBSD, OpenBSD has an advantage because systrace has been around for
a long time and there are online repositories with systrace sample
policies (see for example Project Hairy Eyeball). Also, systrace
includes a policy-generation tool listing every system call available
to the application for which the policy is being generated. Although
an experienced system administrator could probably still tighten the
security of the system by refining the default policy generated by the
tool, the defaults are often secure enough for most uses.

Linux replicated BSD style attributes in ext2f  filesystem, but they
are implemented incorrectly as the key idea behind BSD solution
(attributes are not UID associated privileges, but the run level
associated privileges) is missing. BTW that's really Windows-style
behavior. Here is the list of ext2fs attributes:

   1. A (no Access time): if a file or directory has this attribute
set, whenever it is accessed, either for reading of for writing, its
last access time will not be updated. This can be useful, for example,
on files or directories which are very often accessed for reading,
especially since this parameter is the only one which changes on an
inode when it's open read-only.
   2. a ( append only): if a file has this attribute set and is open
for writing, the only operation possible will be to append data to its
previous contents. For a directory, this means that you can only add
files to it, but not rename or delete any existing file. Only root can
set or clear this attribute.
   3. d (no dump): dump (8) is the standard UNIX utility for backups.
It dumps any filesystem for which the dump counter is 1 in /etc/fstab
(see chapter "Filesystems and Mount Points"). But if a file or
directory has this attribute set, unlike others, it will not be taken
into account when a dump is in progress. Note that for directories,
this also includes all subdirectories and files under it.
   4. i ( immutable): a file or directory with this attribute set
simply can not be modified at all: it can not be renamed, no further
link can be created to it [1] and it cannot be removed. Only root can
set or clear this attribute. Note that this also prevents changes to
access time, therefore you do not need to set the A attribute when i
is set.
   5. s ( secure deletion): when such a file or directory with this
attribute set is deleted, the blocks it was occupying on disk are
written back with zeroes.
   6. S ( Synchronous mode): when a file or directory has this
attribute set, all modifications on it are synchronous and written
back to disk immediately.

There is a third-party patch for 2.6 kernel that makes the behavior
identical to BSD (see Linux-Kernel Archive [PATCH] BSD Secure Levels
LSM (1-3)). See also Improving the Unix API.

(metale parche)