[rsbac] Protecting secoff from malicious root
Rafal Wojtczuk
rsbac@rsbac.org
Sun, 3 Mar 2002 18:56:27 +0000
On Fri, Mar 01, 2002 at 10:41:18PM +0500, Arkady A Drovosekov wrote:
> On Fri, Mar 01, 2002 at 11:10:10AM +0000, Rafal Wojtczuk wrote:
> > 1) It looks sane to assume that root should be allowed to change other user's
> > passwords. Therefore, root can change secoff's password and login as secoff.
> create user+role for changing passwords only. create wrapper with
> additional check uid=400. use only this wrapper to change passwords
Could you add a few more words of explanation ?
> > # LD_PRELOAD=./ld.so /bin/login
> > $
> has login suid bit? how it will work?.. (don't remember such situation)
A setuid bit on login does not matter when login is run by root (because
login is setuid root; login still has ruid=euid=0, and dynamic linker
honours LD_* variables). Remember telnetd/login/LD_PRELOAD remote
vulnerability in SunOS in 1993 :) ?
> did you run this fragment under rsbac kernel? you have to add capability to
> change uid for desired program
It works under rsbac kernel, after
attr_set_fd FILE auth_may_setuid /bin/login
Anyway, Amon has already explained how to fix it.
> program can not change uid to secoff unless you permit this
Cetainly, "login" is the case when you have to permit this :)
Save yourself,
Nergal