| 1 |
Richard Simpson wrote: |
| 2 |
|
| 3 |
>>-----Original Message----- |
| 4 |
>>From: Peter Buettner [mailto:pb@××××××××××××.de] |
| 5 |
>>Sent: Thursday, September 09, 2004 9:43 AM |
| 6 |
>>To: gentoo-hardened@l.g.o |
| 7 |
>>Subject: [gentoo-hardened] su and newrole do not work from normal user |
| 8 |
>>account |
| 9 |
>> |
| 10 |
>> |
| 11 |
>>Hello, |
| 12 |
>> |
| 13 |
>>I performed a stage1 install from the hardened gentoo CD. |
| 14 |
>>Installation works fine and without problems. |
| 15 |
>> |
| 16 |
>>But with the loaded policy it is not possible to do newrole -r or |
| 17 |
>>su - from normal user account. |
| 18 |
>> |
| 19 |
> |
| 20 |
> |
| 21 |
> I believe you would need to allow the role transition. See staff.te. The |
| 22 |
> default policy seems to only allow role transitions between staff and |
| 23 |
> sysadm. Rather than allowing a role transition to/from the unprivileged |
| 24 |
> user_r, it would be more secure to instead grant additional privileges to an |
| 25 |
> individual user, or create a new role with privileges applicable for a group |
| 26 |
> of users. See staff.te for ideas on this. |
| 27 |
> |
| 28 |
> Richard. |
| 29 |
> |
| 30 |
> |
| 31 |
> -- |
| 32 |
> gentoo-hardened@g.o mailing list |
| 33 |
> |
| 34 |
> |
| 35 |
|
| 36 |
Role transition is not used anywhere in the Gentoo base policy and we do |
| 37 |
not recommend it's use unless you have very specific security goals that |
| 38 |
it can address, you are refering to role allows, and you are right, |
| 39 |
user_r does not have the ability to change roles to sysadm_r. Only |
| 40 |
staff_r can do this. |
| 41 |
|
| 42 |
This is a specific design decision, you do not want your administrators |
| 43 |
to be user_r and have a user_home_dir_t home directory, you need to |
| 44 |
segment them from unprivileged users to keep their files, processes, etc |
| 45 |
seperate. The best example of why this is good is, for example, if a |
| 46 |
sysadmin logs in with user_r his ssh agent would be user_tmp_t. This is |
| 47 |
obviously a bad thing, if he logs in as staff_t then his ssh agent is |
| 48 |
staff_tmp_t which wouldn't be accessible at all by unprivileged users, |
| 49 |
even if they could bypass DAC. |
| 50 |
|
| 51 |
Joshua Brindle |
| 52 |
|
| 53 |
-- |
| 54 |
gentoo-hardened@g.o mailing list |
Archives