[rsbac] Protecting secoff from malicious root
Rafal Wojtczuk
rsbac@rsbac.org
Sun, 3 Mar 2002 18:47:25 +0000
Thank you for the instructive answers, a few more questions.
On Fri, Mar 01, 2002 at 06:06:25PM +0100, Amon Ott wrote:
> If you really have to use /bin/login and need a superuser being able to
> change everybody's password, you could use secoff or another user for that
> task - just prevent writing to /etc/shadow by anybody else.
I would like to allow ordinary users to change their own passwords, too :)
> BTW, you can easily prevent execution of other programs through RC role
> process_execute_type value no_execute.
OK, but we must remember thet if an attacker can force a privileged process
to run a machine code injected by the attacker (note I avoided the word
"shellcode"), the attacker doesn't need to execute anything to take full
advantage of the process' privileges.
> > 3) How about stuffing keystrokes into tty queues ? Root can wait for secoff
> > to log in, then root can send characters to secoff's terminal with
> > ioctl(secoffs_terminal_fd, TIOCSTI, ptr_to_char)
> > and thus invoke arbitrary commands as secoff.
>
> Let the secoff login script assign another RC type to the controlling tty,
> which root has no right to access. I'd have to check, whether the ioctl is
> controlled - if not, this hole should be fixed.
One must also avoid race conditions: an attacker can inject keystrokes after
the tty has been allocated, but before the login script runs.
> > 4) /dev/kmem seems to be protected by default, but /dev/hda is not. I could
> > for instance access files in /rsbac with debugfs utility.
>
> Right. The base setup must plain work to get people up and running.
>
> In my usual setup, all partitions get a special RC type, which only role FSCK
> (assigned to /sbin/fsck) can read-write and root can only mount/umount.
"all partitions": what do you mean ? All entries in /dev ? What If I do
# mknod myhda b 3 0
# debugfs -w ./myhda
Or should all mknod operations be disallowed (which is tricky to enforce; I
can write to /dev/hdaX a filesystem containing device pseudofiles and then
mount /dev/hdaX).
Save yourself,
Nergal