[rsbac] sshd problems

Sven Seeland sven.seeland at gmx.de
Mon Apr 9 20:58:59 CEST 2007


I'm sorry for being so slow but I still can't get it right. I made a copy of the 
General User role and called it SSHD Inital. I granted this role the additional 
rights (AUTHENTICATE, SEARCH, CHOWN, GET_STATUS_DATA) for SSHD to function 
properly. I set up SSHD itself with AUTH May Setuid to up_mixed. I allowed it to 
chown and chgrp to 22 and 0. But still, I have to explicitly allow it to chown 
to 400 (secoff) when I'm trying to login as secoff,  even though secoff is 
authenticated! What am I doing wrong here?

The thing is: sshd is trying to CHANGE_DAC_EFF_OWNER to 400 before I can even 
enter a password. If it can't to this, it closes the connection. But this means 
that I have to either allow setuid for all IDs, which is something I don't want 
to do, or I have to allow it to setuid to all user ids that are allowed to login 
via ssh, which is something I don't want to do either since those may be a few 
and they may change rather frequently. So what shall I do?

Thanks a lot for your help,

Sven

Amon Ott schrieb:
> On Wednesday 04 April 2007 10:04, Sven Seeland wrote:
>> So you are saying I should grant the initial sshd process the right
>> to setuid to root and to authenticate users? Isn't that a huge risk
>> in case sshd is hacked, as it has been before? I'm thinking whether
>> it might be safer to work with a fake root and a min cap that
>> allows setuid btu that doesn't help that much because the attacker
>> would then still have the right to setuid to root.
> 
> You only allow setting the euid and fsuid to root, not the real uid. 
> So this root process runs with the SSHD Initial role and has only the 
> rights you want it to. Additionally, you can remove all unnecessary 
> capabilities with a CAP max_caps setting.
> 
> Also, during network conversation the process runs as user 22. You can 
> further reduce its rights, if you assing yet another role as def_role 
> to that user.
> 
> If you know that you will never need administrative rights over ssh, 
> you can also run sshd in a jail. Then whatever RC roles the users 
> have, they will always be inside this jail with limited rights, if 
> they came through ssh.
> 
>> And to answer your questions: yes, the sshd user 22 has role 0 and
>> I'm trying to login as secoff. I already have debug_adf_rc enabled,
>> that's how I know that the process that is trying to authenticate
>> has the role 0.
> 
> Oh yes, right.
> 
> Amon.


More information about the rsbac mailing list