Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Subverting eTrust Access Control on UNIX (file execution)
From: Tim Brown <tmb () 65535 com>
Date: Mon, 8 Dec 2008 11:52:33 +0000

On Sunday 07 December 2008 23:42:03 RexRufi wrote:
One of my clients is using CA Access Control (formerly eTrust Access
Control) to restrict execution of certain binaries to specifically
authorized users. Does anyone know how eTrust determines matches for
purposes of restricting access, i.e. is it simply path/file name or is
there a hash used?

As an authorized unprivileged user, I picture subverting this by
simply uploading my own version of these binaries, if needed.  If
eTrust is using a hash, I'll need to modify these so that they no
longer match.

Have a look at 
AC is rather similar to TACF (I believe they were originally one and the 

In answer to your question, it can use a multitude of methods (depending on 
precisely what policy rules are applied).

The AC policy language has the concept of trusted binaries and if it is 
detected by AC that a listed binary has different metadata from that listed 
in the policy, then the meta data in the local policy is updated to flag it 
as untrusted.  Depending on the setup and your access you may be able to 
reset this flag in the local policy using selang.

The trust stuff is documented at: 

Flags that define the way in which the resource is to be trusted and how it
should be trusted and how it should be checked for trusted status.
Available flags include Ctime, Mtime, Mode, Size, Device, Inode, Crc,
Owner, Group, All, None.

Maybe have a look at the audit logs or policy to determine on what grounds you 
are being rejected?  

Tim Brown
<mailto:tmb () 65535 com>

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]