[rsbac] sshd problems

Amon Ott ao at rsbac.org
Wed Apr 11 10:12:02 CEST 2007

On Tuesday 10 April 2007 10:19, Sven Seeland wrote:
> Okay, this is starting to feel embarrasing...
> I set the CHANGE_DAC_EFF_OWNER and CHANGE_DAC_FS_OWNER to the range
> 0:65534 in order to allow any and all uids (I will narrow that down
> later on). Now the communication works. I don't get any RSBAC
> errors until the parent process wants to spawn the final shell
> process. This is what I get (non-softmode):
> <6>0000004541|rsbac_adf_request(): request CHANGE_OWNER, pid 30911,
> ppid 30910, prog_name sshd, prog_file /usr/sbin/sshd, uid 22, audit
> uid 400, remote ip, target_type PROCESS, tid 30911,
> attr owner, value 0, result NOT_GRANTED by AUTH
> <6>0000004542|rsbac_adf_request(): request CHANGE_OWNER, pid 30914,
> ppid 30910, prog_name sshd, prog_file /usr/sbin/sshd, uid 0, audit
> uid 400, remote ip, target_type PROCESS, tid 30914,
> attr owner, value 400, result NOT_GRANTED by AUTH
> pid 30910 is obviously the parent process. 30911 is the process
> doing the communication. 30914 is apparently the process that is
> trying to actually spawn (or become?) the shell. Since this is
> NOT_GRANTED by AUTH the problem should lie with /usr/sbin/sshd (the
> file) and not SSHD_Inital (the role), I believe.

Only last night I realized that it is not the process doing the 
authentication which tries to setuid in the end. Instead, sshd 
creates one child process to do authentication and a new child 
process for setuid. So it cannot work this way.

Blame sshd Privilege Separation scheme for this...

You might consider turning that scheme off with
UsePrivilegeSeparation no
in sshd_config.

I will think about a secure solution to this problem - obviously we 
cannot set last_auth for every parent process, too, so that other 
children can get it inherited. During my tests, I added inheritance 
to child processes, so in other cases we might have some benefit.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list