[rsbac] Problem with /bin/login

Toggweiler Stephan rsbac@rsbac.org
Fri May 3 11:51:01 2002


For the SANS GSEC (GIAC Security Essential Cert) I need to write a
practical. I have choosen RSBAC as my topic for this practical (a little
document how to setup a Linux server with Apache, Squid from base).

With the help of the example auth_prod (in rsbac-admin-v1.2.0-pre8.tar.gz) I
had created my own script (see attachement) that implement some basic
policies (hide /etc/shadow from normal users). Like in the example I have
created 2 roles "Auth User" and "Auth Admin" (can write to /etc/shadow) and
the 2 FD types "Passwd FD" and "Shadow FD".
The following attributes are set to /bin/login, /etc/passwd, /etc/group and
attr_set_file_dir FILE /bin/login rc_type_fd $TYPE_Passwd_FD
attr_set_file_dir FILE /bin/login rc_force_role $ROLE_Auth_User
attr_set_file_dir AUTH FILE /bin/login auth_may_setuid 1
attr_set_file_dir FILE /etc/passwd rc_type_fd $TYPE_Passwd_FD
attr_set_file_dir FILE /etc/group rc_type_fd $TYPE_Passwd_FD
attr_set_file_dir FILE /etc/shadow rc_type_fd $TYPE_Shadow_FD

When I startup with the RSBAC kernel I can login as root or secoff but with
both login the role are alloways Auth_User and not System_Admin or
Role_Admin. How can I setup the attributes that /bin/login change the role
to the user where /bin/login setuid to.

Thanks in advance.

My Linux system a Gentoo 1.1a with RSBAC 1.2.0-pre8.


>>> Rentenanstalt/Swiss Life - Official Partner Expo.02 <<<