[rsbac] How to restrict root access almost entirely?

Amon Ott ao at rsbac.org
Fri Oct 1 13:47:59 CEST 2004

On Freitag, 1. Oktober 2004 12:48, Stefan Ohletz wrote:
> The basic idea is to restrict system access for root (and users who 
> don't have admin rights) as much as possible. My approach and ideas 
> far look like the following:
> 1. Create a new account "admin" for administering the system.
> 2. Give admin the necessary rights to administer the system.
> 3. Take away most rights root had so far.

Sounds reasonable.
> Trying to realize such steps with RSBAC, I first created the account 
> "admin" and a role "Security Admin". Afterwards, I gave all the 
> necessary rights to "admin" to access objects of type Security_FD, 
> Security_Proc, and so on.
> My first try was to restrict root access to /sbin/shutdown. 
Therefore I 
> set its type to "Security_FD". As I soon realized, although root 
> able to shutdown the system, admin was neither, 
because /sbin/shutdown 
> has to be executed with uid 0. So I added admin to the wheel group, 
> the suid-bit on /sbin/shutdown and changed its group (and 
> permissions) to wheel.

You can enable the new fake_root option in RSBAC v1.2.3. Then set 
fake_root on the stupid program and it will always see uid 0 when 
calling getuid().
> Of course, I want to restrict access not only to shutdown, but also 
> passwd, chown, chmod, and many other system tools. Do I really need 
> set them all to "setuid root", change their group to wheel and give 
> FD-type "Security_FD"?

The fake_root hack helps in this. Some programs can also be replaced 
by others, e.g. you can use usermod to change the password, which 
does not check for uid==0 here.
> Moreover, I'm asking myself if there remains anything to do to 
> ordinary users (or root) to gain rights only admin should have. (I 
> already restricted su, for example, to ordinary accounts by setting 
> AUTH capabilities.)

admin's console device should have a different RC type when logged in, 
so root cannot fake input into it.

What do you need the root account for, except for booting? RSBAC 
v1.2.3 comes up with a boot role, if you configured one, so there is 
no need for root's role having any special right.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname   : nicht verf?gbar
Dateityp    : application/pgp-signature
Dateigr??e  : 189 bytes
Beschreibung: signature
URL         : http://www.rsbac.org/pipermail/rsbac/attachments/20041001/45ebe7a8/attachment.bin

More information about the rsbac mailing list