[rsbac] rsbac and ntpd, got it

jochem_ippers at email.de jochem_ippers at email.de
Thu Jan 19 15:28:36 CET 2006 

I just saw that I compiled CONFIG_SECURITY_CAPABILITIES=m but the module wasn't loaded. So I loaded it and now ntpd works. Sorry, but maybe this can help other people later too. First I will compile it into the kernel. But another question: Before that I gave ntpd the role 'System Admin' - is that really mandatory, and if so: is this (=set a role for rather standard processes) something which has to be done more often?
Greetings
Jochem


RSBAC Discussion and Announcements <rsbac at rsbac.org> schrieb am 19.01.06 14:37:32:
> 
> Hi,
> I've just tried it in softmode again without chroot jail  (it was not the rsbac JAIL before) and with all min-CAPs turned on for /usr/ntpd. But it's still the same error. But now there is also the rsbac NOT GRANTED warning (MODIFY_SYSTEM_DATA) by the RC module. 
> Hmm, before the reboot into softmode I switched the RC module off when I set the ACL, after that worked I tried to switch RC on again, but that didn't work. So, I rebooted (with RC module and softmode switched on) and now it logs the mentioned rsbac message (again). So, I am not sure how/if both warnings (rsbac, ntp-log) relate to each other. Do I have to create a role for ntpd (first)?
> I think I need some time to understand how to control such 'inner' system stuff with rsbac - tricky, but very interesting. And I hope my question won't be too dumb. ;-)
> Greetings
> Jochem
> 
> 
> 
> RSBAC Discussion and Announcements <rsbac at rsbac.org> schrieb am 19.01.06 13:04:59:
> > 
> > On Donnerstag 19 Januar 2006 12:56, jochem_ippers at email.de wrote:
> > > I've got a problem with the ntpd (working as a client). I set AUTH 
> > capabilities (to user/group ntp) and then an ACL entry for ntpd (SCD: 
> > capability/MODIFY_SYTEM_DATA or: clock) so that the rsbac log entries 
> > (...NOT GRANTED...) disappeared. When I start ntpd it contacts the 
> > ntp server but then it mmm dies, and the ntp log says: 
> > > cap_set_proc() failed to drop root privileges: Operation not 
> > permitted
> > > So I tried different settings, but even setting CAP:min_caps to ALL 
> > and suid to on (for /usr/sbin/ntpd) doesn't change it.
> > > Does anyone know the 'trick'?  (Is it a posix capaility (module) 
> > thing?)
> > 
> > Do you run ntpd in a jail? Or with a max_caps setting?
> > 
> > Does it work in global softmode?
> > 
> > Amon.
> > -- 
> > http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
> > _______________________________________________
> > rsbac mailing list
> > rsbac at rsbac.org
> > http://www.rsbac.org/mailman/listinfo/rsbac
> 
> 
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

More information about the rsbac mailing list