[rsbac] rsbac RC tutorial

Amon Ott ao at rsbac.org
Mon Mar 31 10:27:14 MEST 2003 

On Friday 28 March 2003 15:20, Thorsten Sauter wrote:
> On Fri, Mar 28, 2003 at 05:42:42PM +0500, Arkady A Drovosekov wrote:
> > On Fri, Mar 28, 2003 at 12:59:06PM +0100, Thorsten Sauter wrote:
> > > 1. I'm looking for some realworld examples (eg. protecting
> > > sendmail/ssh/ftp)
> > ex:
> > attr_set_file_dir -a CAP FILE /usr/sbin/sendmail min_caps NET_BIND_SERVICE
> > ? attr_set_file_dir -a CAP FILE /usr/sbin/sendmail min_caps SETUID
> > ? auth_set_cap FILE add /usr/sbin/sendmail 1000 65534
> > add system user 'sendmail'
> > run sendmail as user 'sendmail'
> uh. a little bit to complex for me. I'm current still in the "using
> dialog" phase :)
> But I'll try to understand the example.

A bit easier is to just remove some sendmail CAPS through max_caps on 
/usr/sbin/sendmail.

Call rsbac_fd_menu /usr/sbin/sendmail, choose CAP max_caps, and remove 
everything but NET_BIND_SERVICE (and possibly DAC_OVERRIDE).
 
> > > 4. I'm tyring to run apache without root right. For this I have simply
> > > applied the Linux CAP through the FF modules to /usr/sbin/apache. I'm
> > > not sure it this is a good way, is it? Maybe not the best way to do
> > > everything on filesystem base.
> > apache contains in the sources some checks for uid like that:
> > if (!getuid()) {
> > you have to change it to something like:
> > if (1 || !getuid()) {
> > 
> > change config.layout to put all var files into one dir (/var/apache-r3 
here)
> > after recompiling you can apply something like this:
> > 
> > daemon=/usr/local/apache-r3/lib/apache-r3
> > var=/var/apache-r3
> > init_user=www-init
> > work_user=www-data
> > attr_set_file_dir CAP FILE "$daemon" min_caps SETGID SETUID
> > NET_BIND_SERVICE
> > auth_set_cap FILE add "$daemon" "$work_user"
> > attr_set_file_dir DIR "$var" linux_dac_disable 1
> > acl_grant -r -s -u $init_user RW FD "$var"
> > # ??? acl_grant -r -s -u $work_user RW FD "$var"
> > 
> > and change apache.conf
> hmm. I have successfully setup apache without changing the source code.
> CAP_DAC_OVERRIDE, CAP_NET_BIND_SERVICE. Is this not a good way?

Again, for easier use you can restrict the capabilties on the binary (s.a.) - 
just keep NET_BIND_SERVICE, SETGID and SETUID.

Another idea would be to additionally encapsulate apache with a JAIL, which 
automatically removes all admin rights and which can restrict apache's 
network usage. If a real chroot environment is too much work, just use / for 
now - it will still give you much more security beside filesystem accesses.

Arkady's is a more restricted example, which already uses three modules (CAP, 
AUTH and ACL) and some extra functionality (like replacing Linux DAC with ACL 
settings).

Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list