ACL for Create and Unlink

Submit your RBAC policies or suggest policy improvements

ACL for Create and Unlink

Postby \etron » Wed Jul 03, 2002 3:41 am

I would like to see, as far as the acls go, the ability to allow or deny creating files in a directory.
So, for example, in /dev (a common place for hiding intruder log files, programs etc), you allow reading to and from devices, allow reading the contents of the directory, but do not allow creating new files.
Basically, have an acl for allowing/denying sys_creat and sys_open, also, perhaps for more fine grained access, denying sys_unlink as well.
\etron
 
Posts: 1
Joined: Wed Jul 03, 2002 3:30 am

Postby spender » Thu Jul 04, 2002 6:04 pm

that falls under write mode....if you can write, you can create or remove. The problem with making a specific flag for removing files is that with having write access, you can truncate(0) the file...the only difference between that and unlink(2) is that with unlink the file is gone.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to RBAC policy development