Re: AppArmor Security Goal

On Sat, Nov 10, 2007 at 03:52:31PM -0800, david@xxxxxxx wrote:
On Sat, 10 Nov 2007, Dr. David Alan Gilbert wrote:


<snip>


a question for Crispin,
is there a wildcard replacement for username? so that you could grant
permission to /home/$user/.mozilla...... and grant each user access to only
their own stuff? I realize that in this particular example the underlying
DAC will handle it, but I can see other cases where people may want to have
users more intermixed (say webserver files or directories for example)

A variable no. But the current iteration does allow specifying permissions
for files that are owned by the user. The method to do so has been
changed from the current posting and may change again as their is some
debate as to how best express this.

So system policy can express something similar by doing

owner rw @{HOME}/.mozilla,

where @{HOME} is a user side variable that gets expanded into the
locations of the systems home directories.

Allowing a user to tweak (under constraints) their settings might allow
them to do something like create two mozilla profiles which are isolated
from each other, so that the profile they use for general web surfing
is isolated from the one they use for online banking.

the model of being able to add restrictions would still handle this. make
two shell scripts (one to start each browser profile) and set the AA policy
for these scripts to only have access to the appropriate directories.

yes you could do this, though I tend to want it just so I can control
which of my files firefox should be able to touch, without messing
up system policy.

Attachment: pgpzu44qyR1Oa.pgp
Description: PGP signature

Relevant Pages

  • Re: Admin access denied to view roaming profiles
    ... you have to grant full access rights ... relevant user account to access the profile files and log on to the ... that user account could ... Grant share permission FULL to EVERYONE ...
    (microsoft.public.windows.server.general)
  • Re: Admin access denied to view roaming profiles
    ... relevant user account to access the profile files and log on to the ... that user account could ... Grant share permission FULL to EVERYONE ...
    (microsoft.public.windows.server.general)
  • Re: Temporary Access to Create Tables
    ... If the table needs to be persisted then you can grant the CREATE TABLE ... permission and the user will be able to create tables under the form ... REVOKE CREATE TABLE TO USER. ... > I need to be able to grant to a user access to create a table, ...
    (microsoft.public.sqlserver.security)
  • Re: Allowing Anonymous write access only.
    ... need at least READ permission for login. ... > been set up so that anonymous FTP users have write access only, this> may seem insecure and we do get a certain ammount of hackers or> taggers testing the system by dropping test files and folders onto the> server, but because anonymous users do not have read access they soon> find that they cannot download anything they upload and go elsewhere. ... This is where my problems have started,> I initialy replicated all the IIS setting and NTFS permission from my> NT box on my 2003 box but so far have been unable to achive the same> result, it appaers that I can only grant anonymous write access if I ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: Yukon schemas
    ... ALTER to the schema. ... you have to grant create permission to perform the action ... data and to create and alter stored procedures and views that they owned. ...
    (microsoft.public.sqlserver.security)