Project

General

Profile

Actions

User story #6248

open

Manage security attributes

Added by Florian Heigl almost 10 years ago. Updated almost 7 years ago.

Status:
Discussion
Priority:
N/A
Assignee:
-
Category:
Techniques
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:

Description

It would be nice[tm] to be able to also set other file permission details than the basic 1970's set.

This means:
  • SElinux Contexts
  • BSD-style security labels (sys immutable, user appendable) etc.
  • Unix extended filesystem ACLs (xfs, etc. I think by now even ext might have them)

Putting stuff like that in policy would allow people to considerably raise the security level of their systems without the major nightmares involved by manually maintaining this.

Personally I'd just use the SELinux one on folders, recursively and it might be crazy to do that from within cfengine. I.e. think a webserver with a few million files.

I have no idea how people maintain "trusted systems" from configuration management, but will try to get some extra input on that.
BSD labels are a different story and nicer to think about.

I.e. setting the right flags on the sshd binary so it's no longer possible for certain interested parties to embed a different ssh key for backdooring.
manually, upkeep of such a policy is extremely resource consuming.

Actions

Also available in: Atom PDF