[rsbac] How to restrict root access almost entirely?
Stefan Ohletz
dabifml at gmx.net
Fri Oct 1 12:48:56 CEST 2004
Hi,
I think it has become clear to me how to use RC to protect the system
from services running setuid root. What hasn't entirely become clear to
me is how to protect the system from someone gaining root rights locally
(in what way ever).
The basic idea is to restrict system access for root (and users who
don't have admin rights) as much as possible. My approach and ideas so
far look like the following:
1. Create a new account "admin" for administering the system.
2. Give admin the necessary rights to administer the system.
3. Take away most rights root had so far.
Trying to realize such steps with RSBAC, I first created the account
"admin" and a role "Security Admin". Afterwards, I gave all the
necessary rights to "admin" to access objects of type Security_FD,
Security_Proc, and so on.
My first try was to restrict root access to /sbin/shutdown. Therefore I
set its type to "Security_FD". As I soon realized, although root wasn't
able to shutdown the system, admin was neither, because /sbin/shutdown
has to be executed with uid 0. So I added admin to the wheel group, set
the suid-bit on /sbin/shutdown and changed its group (and read/execute
permissions) to wheel.
Now everything works, but is this approach secure?
Of course, I want to restrict access not only to shutdown, but also to
passwd, chown, chmod, and many other system tools. Do I really need to
set them all to "setuid root", change their group to wheel and give them
FD-type "Security_FD"?
Moreover, I'm asking myself if there remains anything to do to hinder
ordinary users (or root) to gain rights only admin should have. (I
already restricted su, for example, to ordinary accounts by setting its
AUTH capabilities.)
Thanks in advance for any comments or hints on my approach,
Stefan
More information about the rsbac
mailing list