1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
|
.TH SESSION 1
.CT 1 sa_nonmortals secur
.SH NAME
session, drop, runlow \- substitute labels temporarily
.SH SYNOPSIS
.B session
[
.I option ...
]
.PP
.B priv session
[
.I option ...
]
.PP
.B runlow
.I command
.PP
.B drop
[
.B -l
.I label
]
[
.I command-arg ...
]
.SH DESCRIPTION
.I Session
sets a temporary security label for the duration of one command.
The ceiling is raised sufficiently to cover the requested
label, up to the authorization recorded for the
current login name.
If no
.I command-args
are given, the command is taken to be a shell:
.IR sh (1)
above the system floor, or
.IR nosh (8)
below.
With
.I command-args,
the specified command is run; there is no shell-like path search.
.PP
If the current ceiling does not dominate the new ceiling,
or the the new process label is below the system floor
and does not dominate the current label
.I session
must be invoked through
.IR priv (1).
.LP
The options are
.TP
.BI -l " label
Set the process label and the label of
the standard input to the given value, specified as in
.IR atolab ;
see
.IR labtoa (3).
If the value does not dominate the current process label,
clear the environment and pass no arguments to the
invoked command.
If
.I label
is missing, it is taken to be the system floor.
.TP
.BI -C " label
Set the process ceiling at or above the given value.
If
.I label
is missing, it is taken to be the process label.
.TP
.BI -u " user
The password for
.I user
will be demanded.
The fact that the password has been presented will be recorded
in the stream identifier (see
.IR stream (4))
of the standard input.
For the duration
of the session, further queries for that password will succeed
automatically.
If
.I user
is missing, it is taken to be the current login name.
.TP
.B -x
Replace current session instead of suspending it
for the duration of the new session (like
.B exec
in
.IR sh (1)).
.TP
.BI -c " command-arg ...
Instead of a shell, run the given command with the given arguments.
This option must come last.
.PP
To change labels, the input source must come over
a trustable channel, in particular neither from an
untrusted computer nor from a terminal into which
untrusted code has been downloaded.
The request may require confirmation to assure that no
software has tampered with it; answer
.L y
for yes.
Confirmation and password inquiries happen under cover of
.IR pex (4).
In a
.IR mux (9.1)
window, this gives a visible indication; a missing indication
is a sign of spoofing.
.PP
.I Runlow
runs a command, starting the label at bottom, somewhat like
.BR "session -l 0" ,
but without changing the label of the standard input.
The executable file is located according to environment variable
.B $PATH
as in
.IR sh (1).
The command receives empty argument and environment lists,
but inherits open file descriptors; only descriptors 0-3
are allowed.
The process label will immediately rise to dominate that of
the executable file.
.PP
.I Drop
sets the process ceiling
to
.I label
(by default to the process label)
for the running of one
.I command
with the given
.I arguments.
If no
.I command
is given,
.F /bin/sh
is run.
.LP
The current process label, process licenses, terminal label,
and environment are preserved.
.SH EXAMPLES
.TP
.B priv session -C ffff...
Change ceiling to the maximum authorized for the current user.
.TP
.B priv session -l 0
.br
.ns
.TP
.B cd /usr/src
Enter a bottom-label interactive terminal subsession.
Get out of the black-hole directory that
.IR priv (1)
leaves you in.
.TP
.B runlow /bin/sh # not useful
An attempt to fool the system into giving a bottom-label
interactive shell.
When the shell reads from standard input,
its label will revert to that of the current session.
.TP
.B drop ls -l *
.br
.ns
.TP
.B drop pwd
Prevent the process label from rising to cover the labels of
files in the directories examined by
.I ls
or
.I pwd.
(If the label did rise, the output could not get
to the terminal.)
.SH FILES
.F /dev/log/sessionlog
.br
.F /etc/pwfile
.br
.F /etc/floor
.br
.F /bin/sh
.br
.F /etc/nosh
.SH SEE ALSO
.IR sh (1),
.IR getflab (2),
.IR getplab (2),
.IR exec (2),
.IR pwfile (5),
.IR login (8),
.IR nosh (8),
.IR pwserv (8)
.SH DIAGNOSTICS
`Sorry', instead of asking for a password: untrusted channel.
|
