1 |
On Thu, 09 Sep 2004 12:28:23 -0400 |
2 |
Joshua Brindle <method@g.o> wrote: |
3 |
|
4 |
> Richard Simpson wrote: |
5 |
> |
6 |
> >>-----Original Message----- |
7 |
> >>From: Peter Buettner [mailto:pb@××××××××××××.de] |
8 |
> >>Sent: Thursday, September 09, 2004 9:43 AM |
9 |
> >>To: gentoo-hardened@l.g.o |
10 |
> >>Subject: [gentoo-hardened] su and newrole do not work from normal user |
11 |
> >>account |
12 |
> >> |
13 |
> >> |
14 |
> >>Hello, |
15 |
> >> |
16 |
> >>I performed a stage1 install from the hardened gentoo CD. |
17 |
> >>Installation works fine and without problems. |
18 |
> >> |
19 |
> >>But with the loaded policy it is not possible to do newrole -r or |
20 |
> >>su - from normal user account. |
21 |
> >> |
22 |
> > |
23 |
> > |
24 |
> > I believe you would need to allow the role transition. See staff.te. The |
25 |
> > default policy seems to only allow role transitions between staff and |
26 |
> > sysadm. Rather than allowing a role transition to/from the unprivileged |
27 |
> > user_r, it would be more secure to instead grant additional privileges to an |
28 |
> > individual user, or create a new role with privileges applicable for a group |
29 |
> > of users. See staff.te for ideas on this. |
30 |
> > |
31 |
> > Richard. |
32 |
> > |
33 |
> > |
34 |
> > -- |
35 |
> > gentoo-hardened@g.o mailing list |
36 |
> > |
37 |
> > |
38 |
> |
39 |
> Role transition is not used anywhere in the Gentoo base policy and we do |
40 |
> not recommend it's use unless you have very specific security goals that |
41 |
> it can address, you are refering to role allows, and you are right, |
42 |
> user_r does not have the ability to change roles to sysadm_r. Only |
43 |
> staff_r can do this. |
44 |
|
45 |
My problem is that staff_r can't do so. |
46 |
|
47 |
Last login: Fri Sep 10 13:59:22 2004 from thor.personalwlan.de |
48 |
sysop@access sysop $ id |
49 |
uid=1000(sysop) gid=100(users) groups=10(wheel),100(users) context=sysop:staff_r:staff_t |
50 |
|
51 |
sysop@access sysop $ su - |
52 |
Password: |
53 |
su: Authentication failure |
54 |
Sorry. |
55 |
|
56 |
sysop@access sysop $ newrole -r sysadm_r |
57 |
Authenticating sysop. |
58 |
Password: |
59 |
newrole: incorrect password for sysop |
60 |
|
61 |
|
62 |
|
63 |
|
64 |
Peter Büttner |
65 |
|
66 |
|
67 |
|
68 |
|
69 |
|
70 |
> This is a specific design decision, you do not want your administrators |
71 |
> to be user_r and have a user_home_dir_t home directory, you need to |
72 |
> segment them from unprivileged users to keep their files, processes, etc |
73 |
> seperate. The best example of why this is good is, for example, if a |
74 |
> sysadmin logs in with user_r his ssh agent would be user_tmp_t. This is |
75 |
> obviously a bad thing, if he logs in as staff_t then his ssh agent is |
76 |
> staff_tmp_t which wouldn't be accessible at all by unprivileged users, |
77 |
> even if they could bypass DAC. |
78 |
> |
79 |
> Joshua Brindle |
80 |
> |
81 |
> -- |
82 |
> gentoo-hardened@g.o mailing list |
83 |
> |
84 |
|
85 |
|
86 |
-- |
87 |
gentoo-hardened@g.o mailing list |