Page 1 of 1

Can I prevent a file to be read by Root ?

PostPosted: Sun Oct 19, 2008 9:41 am
by evilangel
Hey all,

I am using a network authentication using certificates.
The strength of the system is based on the fact that the certificates will not be stolen from the PC.

So I wonder, using RBAC, can I achive this ?

For exemple, can I set my certificate readable only by the network daemon and not root ?

Re: Can I prevent a file to be read by Root ?

PostPosted: Fri Nov 07, 2008 8:36 pm
by spender
The RBAC system can help protect your certificates by making them non-readable to anything but the processes which need to access them. PaX provides an additional layer of security which meshes well with the RBAC system. The situation can be described as:
You have a system where only apache can access your certificate files. Not only can these certificates be opened by apache, but the contents of the certificates may exist in the memory context of the apache process. A sophisticated attacker who compromises the apache process under a straight MAC/RBAC security system would still be able to exfiltrate those certificates with some amount of shellcode (either by copying the certificates from memory or opening the certificate files and reading them in). PaX removes the attacker's ability to execute arbitrary code, making attacks of this kind of sophistication much more difficult.

-Brad