IBM 10 SP1 EAL4 5.11.3 Trusted commands and trusted processes

•/etc/ftpusers: The ftpusers text file contains a list of users who cannot log in using the File

Transfer Protocol (FTP) server daemon. The file is owned by the root user and root group, and its

mode is 644.

•/etc/apparmor/* and /etc/apparmor.d/*: The directories /etc/apparmor and

/etc/apparmor.d contain several configuration files that are used by the AppArmor LSM

modules. Both directories are owned by the root user and root group, and their mode is 755.

Discretionary Access Checks (DAC) access control rules specify how a certain process with appropriate DAC

security attributes can access an object with a set of DAC security attributes. In addition, DAC access control

rules also specify how subject and object security attributes transition to new values and under what

conditions. DAC access control lists are described in detail in Section 5.1.5.2.

Software privilege for DAC policy is based on the user ID of the process. At any time, each process has an

effective user ID, an effective group ID, and a set of supplementary group IDs. These IDs determine the

privileges of the process. A process with a user ID of 0 is a privileged process, with capabilities of bypassing

the access control policies of the system. The root user name is commonly associated with user ID 0, but

there can be other users with this ID.

Additionally, the SLES kernel has a framework for providing software privilege for DAC policy through

capabilities. These capabilities, which are based on the POSIX.1e draft, allow breakup of the kernel software

privilege associated with user ID zero into a set of discrete privileges based on the operation being attempted.

For example, if a process is trying to create a device special file by invoking the mknod() system call, instead

of checking to ensure that the user ID is zero, the kernel checks to ensure that the process is capable of

creating device special files. In the absence of special kernel modules that define and use capabilities, as is

the case with the TOE, capability checks revert back to granting kernel software privilege based on the user

ID of the process.

5.11.3 Trusted commands and trusted processes

The Identification and Authentication subsystem contains the agetty and mingetty trusted processes and

the gpasswd, login, passwd, and su trusted commands.

agetty, the alternative Linux getty, is invoked from /sbin/init when the system transitions from a

single-user mode to a multi-user mode. agetty opens a tty port, prompts for a login name, and invokes

/bin/login to authenticate. Refer to the agetty man page for more detailed information. agetty

follows these steps:

1. Sets language.

2. Parses command line setup options such as timeout and the alternate login program.

3. Updates the utmp file with tty information.

4. Initializes terminal I/O characteristics. Examples are modems or regular terminals.

5. Prompts for login name.

176