grsecurity forums


https://forums.grsecurity.net./

deny send file to all but spesific ip or email

https://forums.grsecurity.net./viewtopic.php?f=3&t=1785

Page 1 of 1

deny send file to all but spesific ip or email

PostPosted: Wed Aug 01, 2007 4:10 am
by walid
Can I make restriction on some files so that they can be read , write but cant be printed by some users and cant be copied to any other machine on network except the specified, and cant be emailed except to specified addresses?

PostPosted: Wed Aug 01, 2007 8:03 pm
by spender
This sort of thing is impossible for any system, no matter how complex (including SELinux). Once a file is read into memory, there's no real control you can have over what gets done with it. Watching network traffic for the file isn't good enough because you can have covert channels/encryption, etc.
Protection within an application itself can be defeated if an attacker gains control of the process.

-Brad

PostPosted: Tue Aug 14, 2007 6:26 am
by msi
you can use a ip/tcp filter to only let out smtp traffic out. And only smtp traffic with your allowed destinations.
but these restrctionts apply to your whole host and not only to specific files.

PostPosted: Fri Aug 17, 2007 2:08 am
by specs
You want some kind of DRM to protect your content.

You'll have to encrypt your content and use some central control system to grant access, deny access or revoke access. Most options mostly "outsource" the control over the content. Please check if you don't simply throw away security.

DRM is however incompatible with open source. Once unencrypted it can be copied and used anywhere. Open Source programms can be altered to create a copy to disk (or any other place).

You might want to search for TCPA, trusted computing and similar sources to view better explanations of the risks involved. You'll run into the same problems.
http://www.againsttcpa.com/
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/