[rsbac] ssh rc-role

tazok tazok.id0 at gmail.com
Thu Aug 24 17:05:18 CEST 2006

2006/8/24, Amon Ott <ao at rsbac.org>:

> If e.g. sshd gets hacked like it has been before, it either still runs
> with the initial role and has minimal rights, or tries to setuid, and
> that is restricted through AUTH (and optionally RC, ACL in RSBAC
> 1.3). So the damage can be minimalized.
> Amon.

But, it means that each process with the capability to change to the
secoff's uid granted by the AUTH module (as for example /bin/login)
could change to the secoff account without restrictions...So, the
restrictions imposed to the login initial role would be inefficient in
any case if (for example) one stack overflow ocurrs within because it
was granted the capability to change to the secoff ID (maybe through
one ret2libc attack invoking the setuid call¿?). If it's the case, by
this way, there is no posibility of defense by our side is it¿?.

Even more, granting the setuid to secoff account to the sshd daemon
would be a great risk even with a greatly restricted sshd initial
role... Hmm... I didn't think about this before (until now I have only
permitted access to secoff account locally by the login way, but I
think it is a great danger).

More information about the rsbac mailing list