[rsbac] sshd problems
Sven Seeland
sven.seeland at gmx.de
Mon Apr 9 20:58:59 CEST 2007
I'm sorry for being so slow but I still can't get it right. I made a copy of the
General User role and called it SSHD Inital. I granted this role the additional
rights (AUTHENTICATE, SEARCH, CHOWN, GET_STATUS_DATA) for SSHD to function
properly. I set up SSHD itself with AUTH May Setuid to up_mixed. I allowed it to
chown and chgrp to 22 and 0. But still, I have to explicitly allow it to chown
to 400 (secoff) when I'm trying to login as secoff, even though secoff is
authenticated! What am I doing wrong here?
The thing is: sshd is trying to CHANGE_DAC_EFF_OWNER to 400 before I can even
enter a password. If it can't to this, it closes the connection. But this means
that I have to either allow setuid for all IDs, which is something I don't want
to do, or I have to allow it to setuid to all user ids that are allowed to login
via ssh, which is something I don't want to do either since those may be a few
and they may change rather frequently. So what shall I do?
Thanks a lot for your help,
Sven
Amon Ott schrieb:
> On Wednesday 04 April 2007 10:04, Sven Seeland wrote:
>> So you are saying I should grant the initial sshd process the right
>> to setuid to root and to authenticate users? Isn't that a huge risk
>> in case sshd is hacked, as it has been before? I'm thinking whether
>> it might be safer to work with a fake root and a min cap that
>> allows setuid btu that doesn't help that much because the attacker
>> would then still have the right to setuid to root.
>
> You only allow setting the euid and fsuid to root, not the real uid.
> So this root process runs with the SSHD Initial role and has only the
> rights you want it to. Additionally, you can remove all unnecessary
> capabilities with a CAP max_caps setting.
>
> Also, during network conversation the process runs as user 22. You can
> further reduce its rights, if you assing yet another role as def_role
> to that user.
>
> If you know that you will never need administrative rights over ssh,
> you can also run sshd in a jail. Then whatever RC roles the users
> have, they will always be inside this jail with limited rights, if
> they came through ssh.
>
>> And to answer your questions: yes, the sshd user 22 has role 0 and
>> I'm trying to login as secoff. I already have debug_adf_rc enabled,
>> that's how I know that the process that is trying to authenticate
>> has the role 0.
>
> Oh yes, right.
>
> Amon.
More information about the rsbac
mailing list