[rsbac] rsbac and ntpd
jochem_ippers at email.de
jochem_ippers at email.de
Thu Jan 19 17:10:46 CET 2006
Hi Andrea!
Thank you very much! The rpm is great, because there are a lot of examples how to use/configure rsbac, and that's really helpful for a beginner. I just got ntp working (in a chroot jail) by giving the user 'ntp' ACL rights (on SCD: capabilities, clock, time_strucs) and the RC Role System_Admin, but I guess, that's not the most secure configuration ;-) so I will try your solution soon.
Greetings
Jochem
RSBAC Discussion and Announcements <rsbac at rsbac.org> schrieb am 19.01.06 16:29:23:
>
> I am using ntpd and rsbac, there is a little bit of config to do to run
> it. I have a script (no menus) which does that for me (and no JAIL), it
> is not the best and most secure script, I am sure, but ntpd works fine
> with it. At least it can give you an idea of what it could be needed to
> get ntpd to work. You can find the script in the rpm at
> http://fedora.rsbac.org/4/rsbac-scripts-1.2.5-fc4.22.noarch.rpm
>
> Andrea
>
> PS. If an rpm is no good for you, mail me directly and I'll send you
> just the ntpd script.
>
>
> On Thu, Jan 19, 2006 at 02:37:02PM +0100, jochem_ippers at email.de wrote:
> * Hi,
> * I've just tried it in softmode again without chroot jail (it was not the rsbac JAIL before) and with all min-CAPs turned on for /usr/ntpd. But it's still the same error. But now there is also the rsbac NOT GRANTED warning (MODIFY_SYSTEM_DATA) by the RC module.
> * Hmm, before the reboot into softmode I switched the RC module off when I set the ACL, after that worked I tried to switch RC on again, but that didn't work. So, I rebooted (with RC module and softmode switched on) and now it logs the mentioned rsbac message (again). So, I am not sure how/if both warnings (rsbac, ntp-log) relate to each other. Do I have to create a role for ntpd (first)?
> * I think I need some time to understand how to control such 'inner' system stuff with rsbac - tricky, but very interesting. And I hope my question won't be too dumb. ;-)
> * Greetings
> * Jochem
> *
> *
> *
> * RSBAC Discussion and Announcements <rsbac at rsbac.org> schrieb am 19.01.06 13:04:59:
> * >
> * > On Donnerstag 19 Januar 2006 12:56, jochem_ippers at email.de wrote:
> * > > I've got a problem with the ntpd (working as a client). I set AUTH
> * > capabilities (to user/group ntp) and then an ACL entry for ntpd (SCD:
> * > capability/MODIFY_SYTEM_DATA or: clock) so that the rsbac log entries
> * > (...NOT GRANTED...) disappeared. When I start ntpd it contacts the
> * > ntp server but then it mmm dies, and the ntp log says:
> * > > cap_set_proc() failed to drop root privileges: Operation not
> * > permitted
> * > > So I tried different settings, but even setting CAP:min_caps to ALL
> * > and suid to on (for /usr/sbin/ntpd) doesn't change it.
> * > > Does anyone know the 'trick'? (Is it a posix capaility (module)
> * > thing?)
> * >
> * > Do you run ntpd in a jail? Or with a max_caps setting?
> * >
> * > Does it work in global softmode?
> * >
> * > Amon.
> * > --
> * > http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
> * > _______________________________________________
> * > rsbac mailing list
> * > rsbac at rsbac.org
> * > http://www.rsbac.org/mailman/listinfo/rsbac
> *
> *
> * _______________________________________________
> * rsbac mailing list
> * rsbac at rsbac.org
> * http://www.rsbac.org/mailman/listinfo/rsbac
>
> --
> Andrea Pasquinucci andrea at rsbac.org http:/www.rsbac.org/
> My public PGP key is at http://www.ucci.it/andrea_rsbac_key.asc
> fingerprint = E74B E276 0F75 F894 0DBD 3A04 AE80 B557 6550 270F
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
More information about the rsbac
mailing list