| 1 |
On Thu, 09 Sep 2004 12:28:23 -0400 |
| 2 |
Joshua Brindle <method@g.o> wrote: |
| 3 |
|
| 4 |
> Richard Simpson wrote: |
| 5 |
> |
| 6 |
> >>-----Original Message----- |
| 7 |
> >>From: Peter Buettner [mailto:pb@××××××××××××.de] |
| 8 |
> >>Sent: Thursday, September 09, 2004 9:43 AM |
| 9 |
> >>To: gentoo-hardened@l.g.o |
| 10 |
> >>Subject: [gentoo-hardened] su and newrole do not work from normal user |
| 11 |
> >>account |
| 12 |
> >> |
| 13 |
> >> |
| 14 |
> >>Hello, |
| 15 |
> >> |
| 16 |
> >>I performed a stage1 install from the hardened gentoo CD. |
| 17 |
> >>Installation works fine and without problems. |
| 18 |
> >> |
| 19 |
> >>But with the loaded policy it is not possible to do newrole -r or |
| 20 |
> >>su - from normal user account. |
| 21 |
> >> |
| 22 |
> > |
| 23 |
> > |
| 24 |
> > I believe you would need to allow the role transition. See staff.te. The |
| 25 |
> > default policy seems to only allow role transitions between staff and |
| 26 |
> > sysadm. Rather than allowing a role transition to/from the unprivileged |
| 27 |
> > user_r, it would be more secure to instead grant additional privileges to an |
| 28 |
> > individual user, or create a new role with privileges applicable for a group |
| 29 |
> > of users. See staff.te for ideas on this. |
| 30 |
> > |
| 31 |
> > Richard. |
| 32 |
> > |
| 33 |
> > |
| 34 |
> > -- |
| 35 |
> > gentoo-hardened@g.o mailing list |
| 36 |
> > |
| 37 |
> > |
| 38 |
> |
| 39 |
> Role transition is not used anywhere in the Gentoo base policy and we do |
| 40 |
> not recommend it's use unless you have very specific security goals that |
| 41 |
> it can address, you are refering to role allows, and you are right, |
| 42 |
> user_r does not have the ability to change roles to sysadm_r. Only |
| 43 |
> staff_r can do this. |
| 44 |
|
| 45 |
My problem is that staff_r can't do so. |
| 46 |
|
| 47 |
Last login: Fri Sep 10 13:59:22 2004 from thor.personalwlan.de |
| 48 |
sysop@access sysop $ id |
| 49 |
uid=1000(sysop) gid=100(users) groups=10(wheel),100(users) context=sysop:staff_r:staff_t |
| 50 |
|
| 51 |
sysop@access sysop $ su - |
| 52 |
Password: |
| 53 |
su: Authentication failure |
| 54 |
Sorry. |
| 55 |
|
| 56 |
sysop@access sysop $ newrole -r sysadm_r |
| 57 |
Authenticating sysop. |
| 58 |
Password: |
| 59 |
newrole: incorrect password for sysop |
| 60 |
|
| 61 |
|
| 62 |
|
| 63 |
|
| 64 |
Peter Büttner |
| 65 |
|
| 66 |
|
| 67 |
|
| 68 |
|
| 69 |
|
| 70 |
> This is a specific design decision, you do not want your administrators |
| 71 |
> to be user_r and have a user_home_dir_t home directory, you need to |
| 72 |
> segment them from unprivileged users to keep their files, processes, etc |
| 73 |
> seperate. The best example of why this is good is, for example, if a |
| 74 |
> sysadmin logs in with user_r his ssh agent would be user_tmp_t. This is |
| 75 |
> obviously a bad thing, if he logs in as staff_t then his ssh agent is |
| 76 |
> staff_tmp_t which wouldn't be accessible at all by unprivileged users, |
| 77 |
> even if they could bypass DAC. |
| 78 |
> |
| 79 |
> Joshua Brindle |
| 80 |
> |
| 81 |
> -- |
| 82 |
> gentoo-hardened@g.o mailing list |
| 83 |
> |
| 84 |
|
| 85 |
|
| 86 |
-- |
| 87 |
gentoo-hardened@g.o mailing list |
Archives