1 |
Richard Simpson wrote: |
2 |
|
3 |
>>-----Original Message----- |
4 |
>>From: Peter Buettner [mailto:pb@××××××××××××.de] |
5 |
>>Sent: Thursday, September 09, 2004 9:43 AM |
6 |
>>To: gentoo-hardened@l.g.o |
7 |
>>Subject: [gentoo-hardened] su and newrole do not work from normal user |
8 |
>>account |
9 |
>> |
10 |
>> |
11 |
>>Hello, |
12 |
>> |
13 |
>>I performed a stage1 install from the hardened gentoo CD. |
14 |
>>Installation works fine and without problems. |
15 |
>> |
16 |
>>But with the loaded policy it is not possible to do newrole -r or |
17 |
>>su - from normal user account. |
18 |
>> |
19 |
> |
20 |
> |
21 |
> I believe you would need to allow the role transition. See staff.te. The |
22 |
> default policy seems to only allow role transitions between staff and |
23 |
> sysadm. Rather than allowing a role transition to/from the unprivileged |
24 |
> user_r, it would be more secure to instead grant additional privileges to an |
25 |
> individual user, or create a new role with privileges applicable for a group |
26 |
> of users. See staff.te for ideas on this. |
27 |
> |
28 |
> Richard. |
29 |
> |
30 |
> |
31 |
> -- |
32 |
> gentoo-hardened@g.o mailing list |
33 |
> |
34 |
> |
35 |
|
36 |
Role transition is not used anywhere in the Gentoo base policy and we do |
37 |
not recommend it's use unless you have very specific security goals that |
38 |
it can address, you are refering to role allows, and you are right, |
39 |
user_r does not have the ability to change roles to sysadm_r. Only |
40 |
staff_r can do this. |
41 |
|
42 |
This is a specific design decision, you do not want your administrators |
43 |
to be user_r and have a user_home_dir_t home directory, you need to |
44 |
segment them from unprivileged users to keep their files, processes, etc |
45 |
seperate. The best example of why this is good is, for example, if a |
46 |
sysadmin logs in with user_r his ssh agent would be user_tmp_t. This is |
47 |
obviously a bad thing, if he logs in as staff_t then his ssh agent is |
48 |
staff_tmp_t which wouldn't be accessible at all by unprivileged users, |
49 |
even if they could bypass DAC. |
50 |
|
51 |
Joshua Brindle |
52 |
|
53 |
-- |
54 |
gentoo-hardened@g.o mailing list |