| 1 |
Hi Chris, |
| 2 |
|
| 3 |
Thanks for your helpful reply. Please see responses, below. I'll experiment |
| 4 |
and define the problem more precisely. But, to do so, I must have keyboard |
| 5 |
access. Breaking SSH is inconvenient when you're working remotely <g>. |
| 6 |
|
| 7 |
Cheers, |
| 8 |
|
| 9 |
--On Thursday, April 01, 2004 7:52 PM -0600 Chris PeBenito |
| 10 |
<pebenito@g.o> wrote: |
| 11 |
|
| 12 |
> On Tue, 2004-03-30 at 17:10, Bill McCarty wrote: |
| 13 |
>> |
| 14 |
>> neverallow ~{ auth auth_write } shadow_t:file ~getattr; |
| 15 |
> |
| 16 |
> This forces shadow access to only be through PAM, with few exceptions. |
| 17 |
> |
| 18 |
>> To log in via SSH and become the system administrator, I find that I |
| 19 |
>> must add the following permissions, which contradict the constraint: |
| 20 |
>> |
| 21 |
>> allow sshd_t shadow_t:file { getattr read }; |
| 22 |
>> allow sysadm_su_t shadow_t:file { getattr read }; |
| 23 |
> |
| 24 |
> I've not seen this. It seems like you don't have >=pam-0.77 installed, |
| 25 |
> since it affects sshd and su. |
| 26 |
|
| 27 |
Good hypothesis, but it doesn't seem to be the case, unless I should have |
| 28 |
pam-0.77-r1 rather than merely pam-0.77: |
| 29 |
|
| 30 |
emerge -pv pam pam-login |
| 31 |
|
| 32 |
These are the packages that I would merge, in order: |
| 33 |
|
| 34 |
Calculating dependencies ...done! |
| 35 |
[ebuild R ] sys-libs/pam-0.77 +berkdb -pwdb +selinux 0 kB |
| 36 |
[ebuild R ] sys-apps/pam-login-3.14 -nls +selinux 0 kB |
| 37 |
|
| 38 |
Total size of downloads: 0 kB |
| 39 |
|
| 40 |
I tried eliminating the policy: |
| 41 |
|
| 42 |
allow sysadm_su_t shadow_t:file { getattr read }; |
| 43 |
|
| 44 |
When I do so, the su command works normally. But, when I try to log in via |
| 45 |
SSH, I fail to get a command prompt. Instead, I get the message: |
| 46 |
|
| 47 |
Server refused to allocate pty |
| 48 |
|
| 49 |
This system was originally a non-SELinux system running devfs. Could I have |
| 50 |
screwed up by compiling something while devfs was still active, or |
| 51 |
otherwise have failed to perform some conversion step? I wonder.... |
| 52 |
|
| 53 |
|
| 54 |
>> I tried to investigate the auth type, but can't find where it's defined. |
| 55 |
> |
| 56 |
> It is an attribute, see attrib.te. |
| 57 |
|
| 58 |
Doh! Yes, I subsequently found this <g>. |
| 59 |
|
| 60 |
--------------------------------------------------- |
| 61 |
Bill McCarty, Ph.D. |
| 62 |
Professor of Information Technology |
| 63 |
Azusa Pacific University |
| 64 |
|
| 65 |
|
| 66 |
|
| 67 |
-- |
| 68 |
gentoo-hardened@g.o mailing list |
Archives