[rsbac] Protecting secoff from malicious root

Rafal Wojtczuk rsbac@rsbac.org
Sun, 3 Mar 2002 18:47:25 +0000

Thank you for the instructive answers, a few more questions.
On Fri, Mar 01, 2002 at 06:06:25PM +0100, Amon Ott wrote:
> If you really have to use /bin/login and need a superuser being able to 
> change everybody's password, you could use secoff or another user for that 
> task - just prevent writing to /etc/shadow by anybody else.
I would like to allow ordinary users to change their own passwords, too :)

> BTW, you can easily prevent execution of other programs through RC role 
> process_execute_type value no_execute.
OK, but we must remember thet if an attacker can force a privileged process 
to run a machine code injected by the attacker (note I avoided the word 
"shellcode"), the attacker doesn't need to execute anything to take full
advantage of the process' privileges.

> > 3) How about stuffing keystrokes into tty queues ? Root can wait for secoff
> > to log in, then root can send characters to secoff's terminal with
> > ioctl(secoffs_terminal_fd, TIOCSTI, ptr_to_char)
> > and thus invoke arbitrary commands as secoff.
> Let the secoff login script assign another RC type to the controlling tty, 
> which root has no right to access. I'd have to check, whether the ioctl is 
> controlled - if not, this hole should be fixed.
One must also avoid race conditions: an attacker can inject keystrokes after
the tty has been allocated, but before the login script runs.

> > 4) /dev/kmem seems to be protected by default, but /dev/hda is not. I could
> > for instance access files in /rsbac with debugfs utility.
> Right. The base setup must plain work to get people up and running.
> In my usual setup, all partitions get a special RC type, which only role FSCK 
> (assigned to /sbin/fsck) can read-write and root can only mount/umount.
"all partitions": what do you mean ? All entries in /dev ? What If I do 
# mknod myhda b 3 0
# debugfs -w ./myhda
Or should all mknod operations be disallowed (which is tricky to enforce; I
can write to /dev/hdaX a filesystem containing device pseudofiles and then
mount /dev/hdaX).

Save yourself,