[cap-talk] Unix inode communication seen as breaking TCSEC

Ian G iang at systemics.com
Thu Nov 2 05:27:58 CST 2006


Mark Miller wrote:
> On 11/1/06, Jed at Webstart <donnelley1 at webstart.com> wrote:
>   
>> cap-talk,
>>
>> Related to my previous note on capabilities and NCSC TCSEC, it
>> occurred to me to consider some features of systems like Unix and
>> Windows in the light of those criteria.  In particular the feature in
>> Unix that plash uses where open file descriptors can be communicated
>> through pipes (please correct my terminology or concept if I've
>> missed it here) seems to me to completely break all the TCSECriteria
>> that are discussed in the document that I posted just as "traditional
>> capabilities" do.  Namely, such communication can allow file access
>> despite not being allowed by the nominal Unix rwx ugo access
>> controls, and there is no auditing on such communication.
>>
>> I wonder if those folks (TCSEC evaluators) feel that such a "feature"
>> in Unix breaks it's opportunity for providing security?
>>     
>
>
> I talked to the architect of Sun's "Trusted Solaris" operating system,
> who explained to me that Trusted Solaris disallows such "Unix Domain
> Sockets" between compartments (their "zones") precisely because they
> believed that the ability to pass file descriptors was too dangerous.
>   


Hmmm, strangely, that is echoed in Java by Sun, which
also has the "feature" that Unix Domain Sockets are
not available.  The result of this is that one has to use
Internet sockets or some sort of file kludge, which leads
one down the inevitable path of firewalls, sysadmins, and
security spaghetti.

iang


More information about the cap-talk mailing list