[rsbac] sshd problems
Amon Ott
ao at rsbac.org
Wed Apr 4 10:16:16 CEST 2007
On Wednesday 04 April 2007 10:04, Sven Seeland wrote:
> So you are saying I should grant the initial sshd process the right
> to setuid to root and to authenticate users? Isn't that a huge risk
> in case sshd is hacked, as it has been before? I'm thinking whether
> it might be safer to work with a fake root and a min cap that
> allows setuid btu that doesn't help that much because the attacker
> would then still have the right to setuid to root.
You only allow setting the euid and fsuid to root, not the real uid.
So this root process runs with the SSHD Initial role and has only the
rights you want it to. Additionally, you can remove all unnecessary
capabilities with a CAP max_caps setting.
Also, during network conversation the process runs as user 22. You can
further reduce its rights, if you assing yet another role as def_role
to that user.
If you know that you will never need administrative rights over ssh,
you can also run sshd in a jail. Then whatever RC roles the users
have, they will always be inside this jail with limited rights, if
they came through ssh.
> And to answer your questions: yes, the sshd user 22 has role 0 and
> I'm trying to login as secoff. I already have debug_adf_rc enabled,
> that's how I know that the process that is trying to authenticate
> has the role 0.
Oh yes, right.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list