[rsbac] How to restrict root access almost entirely?
Amon Ott
ao at rsbac.org
Fri Oct 1 13:47:59 CEST 2004
On Freitag, 1. Oktober 2004 12:48, Stefan Ohletz wrote:
> The basic idea is to restrict system access for root (and users who
> don't have admin rights) as much as possible. My approach and ideas
so
> far look like the following:
>
> 1. Create a new account "admin" for administering the system.
> 2. Give admin the necessary rights to administer the system.
> 3. Take away most rights root had so far.
Sounds reasonable.
> Trying to realize such steps with RSBAC, I first created the account
> "admin" and a role "Security Admin". Afterwards, I gave all the
> necessary rights to "admin" to access objects of type Security_FD,
> Security_Proc, and so on.
>
> My first try was to restrict root access to /sbin/shutdown.
Therefore I
> set its type to "Security_FD". As I soon realized, although root
wasn't
> able to shutdown the system, admin was neither,
because /sbin/shutdown
> has to be executed with uid 0. So I added admin to the wheel group,
set
> the suid-bit on /sbin/shutdown and changed its group (and
read/execute
> permissions) to wheel.
You can enable the new fake_root option in RSBAC v1.2.3. Then set
fake_root on the stupid program and it will always see uid 0 when
calling getuid().
> Of course, I want to restrict access not only to shutdown, but also
to
> passwd, chown, chmod, and many other system tools. Do I really need
to
> set them all to "setuid root", change their group to wheel and give
them
> FD-type "Security_FD"?
The fake_root hack helps in this. Some programs can also be replaced
by others, e.g. you can use usermod to change the password, which
does not check for uid==0 here.
> Moreover, I'm asking myself if there remains anything to do to
hinder
> ordinary users (or root) to gain rights only admin should have. (I
> already restricted su, for example, to ordinary accounts by setting
its
> AUTH capabilities.)
admin's console device should have a different RC type when logged in,
so root cannot fake input into it.
What do you need the root account for, except for booting? RSBAC
v1.2.3 comes up with a boot role, if you configured one, so there is
no need for root's role having any special right.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname : nicht verf?gbar
Dateityp : application/pgp-signature
Dateigr??e : 189 bytes
Beschreibung: signature
URL : http://www.rsbac.org/pipermail/rsbac/attachments/20041001/45ebe7a8/attachment.bin
More information about the rsbac
mailing list