Access Control: take them from Novell Netware

Posted Nov 18, 2010 22:09 UTC (Thu) by zmi (guest, #4829)
In reply to: Access Control: take them from Novell Netware by jeremiah
Parent article: Ghosts of Unix past, part 3: Unfixable designs

From a security point of view, I don't like it. A system should deny everything, and only allow what I explicitly allow. The "default everybody everything yes" way you describe is so Windows, and it's for this reason most viruses are for this system today.

Access Control: take them from Novell Netware

Posted Nov 18, 2010 23:41 UTC (Thu) by jeremiah (subscriber, #1221) [Link] (1 responses)

but it seems much harder to administer the other way around. Once something is marked as inaccessible, that's it. You get to stop looking. Where as it seems like when something is marked as visible you have to establish some sort of hierarchy in case a parent thinks it shouldn't be visible. Which would be indicated by nothing being set. Or you run into a situation like unix where you have permissions going either direction and you have to again determine which overrides which. I guess that would be a fail safe as opposed to a fail open though, which I prefer. But SELinux is a clear demonstration of how complicated things can get if you do it in a complete fashion. Starting with the idea that everything is hidden from everything first, and then transitions are made between them. Yet the bail when it comes to initrc, and almost mark everything as visible first.

Access Control: take them from Novell Netware

Posted Nov 19, 2010 13:19 UTC (Fri) by jeremiah (subscriber, #1221) [Link]

I feel the urge to clarify my initrc comment. Although it's been a while since I dealt with it, here's what I remember, and some context. I run a payment gateway, so we decided to use SELinux to enforce a true division of roles. We made root a second class citizen to the role a user belonged to. The most difficult part of doing this was that root could transition through rpm_t into initrc_t into any other role on the system. The idea, I think, being that root should be able to install packages, and packages, if they were related to a service, should be able to restart themselves. This had the unwanted effect of giving root the ability to transition to just about anything. Trying to remove the 20 bazillion independent transition paths took a hard 2 weeks. This was with the reference policy, and not a vendor supplied policy, which is much more strict than the strict policy. What it really boiled down to, is what it always boils down to in the end. That delicate balance between usability, and security. In the end it was doable, but it wasn't easy.

I think SELinux is amazingly complete. It allowed us to implement a solution that always requires 2 users, from a group of 3. You throw LUKS, encrypted drives, and removable media into the mix, and you have as close to a bullet proof scenario as possible. On the other hand, I don't want to have to write code that the average admin can't administer without spending a month dealing with a sharp learning curve.

Like a lot of us here I'm a developer, and a system administrator. When I have my development hat on I try to think of the user, and what they have to put up with, while balancing it with security requirements etc. As an administrator, I know I'm willing to tolerate more than most users. The difficult part for me, is defining my target audience, and understanding their abilities and tolerance, and shooting for that. And sometimes the perfect solution, has to be hobbled security wise, or the product won't sell. The only way I've found to begin addressing that is though intelligent defaults, and meaningful dialogs/user interaction.

I am intrigued by the Netware ACL's though, since you seem to have found a happy place when dealing with them as opposed to other permission systems. Thanks for the input.

Access Control: take them from Novell Netware

Posted Nov 21, 2010 0:35 UTC (Sun) by Fowl (subscriber, #65667) [Link]

The reason that most viruses are for Windows is the user, plain and simply the huge number of "users". </OT>

If you don't find a specific ACE allowing you access, you don't have access.