[rsbac] Válasz: [rsbac] secure module handling

rsbac@rsbac.org rsbac@rsbac.org
Wed Sep 4 13:11:01 2002


This is a multipart message in MIME format.
--=_alternative 003CCFCCC1256C2A_=
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

Hello,

perhaps using an alias for ldconfig like 'ldconfig -C=20
/etc/ldconfig/ld.so.cache'  would help you? That way you could create the=20
necessary directory and file's inode change will not matter anymore. By=20
the way you could have a symlink from /etc/ld.so.cache to=20
/etc/ldconfig/ld.so.cache to be compatible. /etc/ldconfig/ld.so.cache will =

inherit its properties from /etc/ldconfig so changes will remain.

Bye,

Gabor Horvath
ghorvath@minolta.hu





Andreas Baetz <andreas.baetz@herma.de>
Felad=F3: rsbac-admin@rsbac.org
2002.09.04 11:14
K=E9rem, v=E1laszoljon ennek a szem=E9lynek: rsbac

=20
                  C=EDmzett:      rsbac@rsbac.org
                  M=E1solat:=20
                     T=E1rgy:     [rsbac] secure module handling


Hi,

to make sure that only trusted kernel modules are loaded,
I did the following (using RC and version 1.1.2):
- assigned /lib/modules to rc=5Ftype=5Ffd modules
- assigned all binaries and libraries to rc=5Ftype=5Ffd sysfiles
- all roles have read=5Fonly to sysfiles and modules
- created role module=5Fadmin
- assigned rc=5Fforce=5Frole of /sbin/insmod to role module=5Fadmin
- removed add=5Fto=5Fkernel and remove=5Ffrom=5Fkernel=20
  from all roles except module=5Fadmin
- removed all permissions to General=5FFD from
  role module=5Fadmin

Now insmod can only load modules from /lib/modules and
nobody can write there. The system works, but everytime
modprobe, lsmod, rmmod or insmod are called, they try
to access /etc/ld.co.cache. This is not granted. The modules
get loaded and unloaded, though. Now I granted the role
module=5Fadmin read to this file, but the inode changes every time
ldconfig is run. But I don't want to grant read to /etc fo that role,
because then root could create some module there and load it.

What do you think about my solution ? Any comments ?

Andreas Baetz







**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been scanned
for the presence of computer viruses.
**********************************************************************

=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
rsbac mailing list
rsbac@rsbac.org
http://www.rsbac.org/mailman/listinfo/rsbac



--=_alternative 003CCFCCC1256C2A_=
Content-Type: text/html; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable


<br><font size=3D2 face=3D"sans-serif">Hello,</font>
<br>
<br><font size=3D2 face=3D"sans-serif">perhaps using an alias for ldconfig =
like 'ldconfig -C /etc/ldconfig/ld.so.cache' &nbsp;would help you? That way=
 you could create the necessary directory and file's inode change will not =
matter anymore. By the way you could have a symlink from /etc/ld.so.cache t=
o /etc/ldconfig/ld.so.cache to be compatible. /etc/ldconfig/ld.so.cache wil=
l inherit its properties from /etc/ldconfig so changes will remain.</font>
<br>
<br><font size=3D2 face=3D"sans-serif">Bye,</font>
<br>
<br><font size=3D2 face=3D"sans-serif">Gabor Horvath</font>
<br><font size=3D2 face=3D"sans-serif">ghorvath@minolta.hu</font>
<br>
<br>
<br>
<br>
<table width=3D100%>
<tr valign=3Dtop>
<td>
<td><font size=3D1 face=3D"sans-serif"><b>Andreas Baetz &lt;andreas.baetz@h=
erma.de&gt;</b></font>
<br><font size=3D1 face=3D"sans-serif">Felad=F3: rsbac-admin@rsbac.org</fon=
t>
<p><font size=3D1 face=3D"sans-serif">2002.09.04 11:14</font>
<br><font size=3D1 face=3D"sans-serif">K=E9rem, v=E1laszoljon ennek a szem=
=E9lynek: rsbac</font>
<br>
<td><font size=3D1 face=3D"Arial">&nbsp; &nbsp; &nbsp; &nbsp; </font>
<br><font size=3D1 face=3D"sans-serif">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &=
nbsp; &nbsp; &nbsp; &nbsp; C=EDmzett: &nbsp; &nbsp; &nbsp; &nbsp; rsbac@rsb=
ac.org</font>
<br><font size=3D1 face=3D"sans-serif">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &=
nbsp; &nbsp; &nbsp; &nbsp; M=E1solat: &nbsp; &nbsp; &nbsp; &nbsp; </font>
<br><font size=3D1 face=3D"sans-serif">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &=
nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;T=E1rgy: &nbsp; &nbsp; &nbsp; &nbsp=
; [rsbac] secure module handling</font></table>
<br>
<br>
<br><font size=3D2 face=3D"Courier New">Hi,<br>
<br>
to make sure that only trusted kernel modules are loaded,<br>
I did the following (using RC and version 1.1.2):<br>
- assigned /lib/modules to rc=5Ftype=5Ffd modules<br>
- assigned all binaries and libraries to rc=5Ftype=5Ffd sysfiles<br>
- all roles have read=5Fonly to sysfiles and modules<br>
- created role module=5Fadmin<br>
- assigned rc=5Fforce=5Frole of /sbin/insmod to role module=5Fadmin<br>
- removed add=5Fto=5Fkernel and remove=5Ffrom=5Fkernel <br>
 &nbsp;from all roles except module=5Fadmin<br>
- removed all permissions to General=5FFD from<br>
 &nbsp;role module=5Fadmin<br>
<br>
Now insmod can only load modules from /lib/modules and<br>
nobody can write there. The system works, but everytime<br>
modprobe, lsmod, rmmod or insmod are called, they try<br>
to access /etc/ld.co.cache. This is not granted. The modules<br>
get loaded and unloaded, though. Now I granted the role<br>
module=5Fadmin read to this file, but the inode changes every time<br>
ldconfig is run. But I don't want to grant read to /etc fo that role,<br>
because then root could create some module there and load it.<br>
<br>
What do you think about my solution ? Any comments ?<br>
<br>
Andreas Baetz<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
**********************************************************************<br>
This email and any files transmitted with it are confidential and<br>
intended solely for the use of the individual or entity to whom they<br>
are addressed. If you have received this email in error please notify<br>
the system manager.<br>
<br>
This footnote also confirms that this email message has been scanned<br>
for the presence of computer viruses.<br>
**********************************************************************<br>
<br>
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F<br>
rsbac mailing list<br>
rsbac@rsbac.org<br>
http://www.rsbac.org/mailman/listinfo/rsbac<br>
</font>
<br>
<br>
--=_alternative 003CCFCCC1256C2A_=--