[rsbac] Protecting secoff from malicious root

Rafal Wojtczuk rsbac@rsbac.org
Sun, 3 Mar 2002 18:56:27 +0000


On Fri, Mar 01, 2002 at 10:41:18PM +0500, Arkady A Drovosekov wrote:
> On Fri, Mar 01, 2002 at 11:10:10AM +0000, Rafal Wojtczuk wrote:
> > 1) It looks sane to assume that root should be allowed to change other user's
> > passwords. Therefore, root can change secoff's password and login as secoff.
> create user+role for changing passwords only. create wrapper with
> additional check uid=400. use only this wrapper to change passwords
Could you add a few more words of explanation ?

> > 	# LD_PRELOAD=./ld.so /bin/login
> > 	$ 
> has login suid bit? how it will work?.. (don't remember such situation)
A setuid bit on login does not matter when login is run by root (because
login is setuid root; login still has ruid=euid=0, and dynamic linker
honours LD_* variables). Remember telnetd/login/LD_PRELOAD remote
vulnerability in SunOS in 1993 :) ?

> did you run this fragment under rsbac kernel? you have to add capability to
> change uid for desired program
It works under rsbac kernel, after 
attr_set_fd FILE auth_may_setuid /bin/login
Anyway, Amon has already explained how to fix it.

> program can not change uid to secoff unless you permit this
Cetainly, "login" is the case when you have to permit this :)

Save yourself,
Nergal