[rsbac] sshd problems

Amon Ott ao at rsbac.org
Tue Apr 10 08:19:46 CEST 2007

On Monday 09 April 2007 20:58, Sven Seeland wrote:
> I'm sorry for being so slow but I still can't get it right. I made
> a copy of the General User role and called it SSHD Inital. I
> granted this role the additional rights (AUTHENTICATE, SEARCH,
> CHOWN, GET_STATUS_DATA) for SSHD to function properly. I set up
> SSHD itself with AUTH May Setuid to up_mixed. I allowed it to chown
> and chgrp to 22 and 0.

This sounds correct.

> But still, I have to explicitly allow it to 
> chown to 400 (secoff) when I'm trying to login as secoff,  even
> though secoff is authenticated! What am I doing wrong here?
> The thing is: sshd is trying to CHANGE_DAC_EFF_OWNER to 400 before
> I can even enter a password. If it can't to this, it closes the
> connection. But this means that I have to either allow setuid for
> all IDs, which is something I don't want to do, or I have to allow
> it to setuid to all user ids that are allowed to login via ssh,
> which is something I don't want to do either since those may be a
> few and they may change rather frequently. So what shall I do?

Given the way sshd works, there is not much else you can do but grant 
CHANGE_DAC_EFF_OWNER to all uids (seteuid) that are supposed to 
login. For me, the important thing is to deny CHANGE_OWNER without 
authentication - setting the real uid (setuid) is what gives you 
RSBAC rights. Then the sshd process still runs with the initial role, 
so you can easily deny access to home dirs etc.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list