docs/177699: Documentation (handbook and manpage) for mac_biba doesn't mention its impacts on root privileges.

Kevin P. Barry ta0kira at gmail.com
Sun Apr 7 23:50:00 UTC 2013 

>Number:         177699
>Category:       docs
>Synopsis:       Documentation (handbook and manpage) for mac_biba doesn't mention its impacts on root privileges.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-doc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr 07 23:50:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Kevin P. Barry
>Release:        9.1-RELEASE amd64
>Organization:
>Environment:
>Description:
The documentation for mac_biba (`man mac_biba` and http://www.freebsd.org/doc/en/books/handbook/mac-biba.html) completely neglects to mention that certain root privileges are lost if a process cannot attain biba/equal. A few examples of those privileges: setting the login class of a process; changing audit settings with auditon(2). Importantly, the latter prevents users from using su and sudo if their MAC label isn't compatible with biba/equal. Whether or not this is a core feature of the FreeBSD Biba implementation, users should be made aware of it up front in the documentation. I figured it out because I'm well-versed in C and I spent a few days tracking down why I couldn't use su and sudo; however, the majority of FreeBSD users probably aren't C programmers.
>How-To-Repeat:
Please note that the steps below reproduce one of the *undocumented* behaviors of mac_biba. The problem is the lack of documentation, not the behavior.

- Enable mac_biba.
- Given a username "user", try `setpmac 'biba/high(high-high)' su user true`. You should get "Permission denied", as well as a message referencing auditon failure in /var/log/messages.
>Fix:
The list of privileges lost if the process cannot attain biba/equal are available in biba_priv_check (/usr/src/sys/security/mac_biba/mac_biba.c:1868). Additionally, everywhere the biba_subject_privileged function is used in mac_biba.c indicates some sort of kernel functionality that is blocked.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-doc mailing list