Table of Contents

User Management Configuration

Before you improve system security by activating RSBAC User Management, it is strongly recommended to read the overview under User Management.

User management (UM) must be enabled in RSBAC kernel configuration. To get passwords encrypted with SHA1, this algorithm must first be enabled in the kernel Crypto menu. Only with SHA1 enabled, the User Management menu will show the option for encryption! After configuration, compile and install the kernel as usual.

The RSBAC admin tools contain the necessary user and group management tools with the usual Linux names ({user|group}{add|mod|del}, passwd, gpasswdm, login), but prefixed with rsbac_. Additionally, there are tools to retrieve and backup info, namely rsbac_usershow and rsbac_groupshow. The rsbac_login command does not support PAM, it only understands RSBAC UM. These tools can be used as direct replacements, e.g. make a symlink in /usr/local/bin, if this dir is first in PATH. All commands show a help screen with -h.

Additionally, rsbac_usershow and rsbac_groupshow give details about users and groups. They also allow to make backups, if you have the necessary access rights to each individual user and group.

To enable normal Linux user programs to see and use RSBAC UM, you need to compile and install the NSS and PAM modules from the admin tools contrib dir.

It is strongly recommended to enable UM debugging before starting first tests. Either use rsbac_debug_aef_um kernel parameter or at runtime call as root or security officer:

echo "debug_aef_um 1" >/proc/rsbac-info/debug

Import existing users

Both rsbac_useradd and rsbac_groupadd have options to convert existing users and groups.

rsbac_useradd -v -O
rsbac_groupadd -v -O

To get dependencies between users and groups right, you might have to repeat the import. Always check the results with rsbac_usershow and rsbac_groupshow:

rsbac_groupshow groupname
rsbac_usershow username

As standard Linux passwords are encrypted with another algorithm and salt size, they cannot be converted. Thus, passwords for converted users and groups must be reset, e.g. with the rsbac_usermod or the rsbac_passwd command. Set the user password with one of these commands:

rsbac_usermod -p "password" username
rsbac_passwd -n username

For soft migration and first tries, you can run passwd/shadow and RSBAC UM in parallel for a while, before you turn the first off: In nsswitch.conf change “compat” to “compat rsbac”, in /etc/pam.d/* add “ sufficient pam_rsbac.so” before the pam_unix.so line.

Switch over

To disable the old scheme and to switch over to RSBAC Users and Groups only, change /etc/nsswitch.conf (replace compat in passwd, group, shadow by rsbac) and /etc/pam.d/* (replace pam_unix with pam_rsbac). Then it simply works - if you granted the necessary access rights and imported the existing users and groups, that is. It is generally a good idea to try in softmode first. :)

After complete migration, you can enable UM exclusive mode in the kernel settings to disallow all users and groups unknown to UM. auth_may_setuid settings should be changed from full to last_auth_and_gid to deny unauthenticated setuids, and AUTH caps should be properly reduced. Some decision modules, e.g. RC, have a special access right CHANGE_AUTHED_OWNER, which allows to setuid to a user target, if the process has successfully authenticated that user (only works for the last one).

Virtual User Sets

To use virtual groups and users, you need to enable them in kernel config. Then you can e.g. create group “users” in virtual set 1 with:

rsbac_groupadd 1/users

To copy group “users” (without members) from another set, e.g. the default set 0:

rsbac_groupadd -C 0/users 1/users

To copy a user, e.g. root, without password:

rsbac_useradd -C 0/root 1/root

And to copy an existing user with password:

rsbac_useradd -K 0/joe 1/joe

Check the results:

rsbac_groupshow 1/users
rsbac_usershow 1/root
rsbac_usershow 1/joe
rsbac_usershow -S 1 -l
rsbac_user_menu 1/joe

To login as 1/joe, just enter 1/joe as your login user name. You can use 1/joe with all RSBAC tools, e.g. to set a role, raise resource limits or add an ACL entry. It is as simple as that. A user name without / is always taken from the current virtual set of the calling process.

note: Newer versions of OpenSSH can have SELinux support enabled, in that case / (slash) becomes a special character in SSH user names and sshd does NOT pass the user name completely. You can rebuild your OpenSSH without SELinux extension to get full use of RSBAC virtual users through ssh.

note2: Some versions of OpenSSH have a bug that does not really disable the meaning of /, even if you compile without SELinux support. Always check what name sshd sees with -v

Whenever a process authenticates a virtual user, it automatically changes the current virtual set of the authenticating process and thus binds the user session to that set. Alternatively, you can force some virtual set for a program with a general attribute or through the rsbac_jail command.

By default kernel configuration, any process with a current virtual user set that is not the main set 0 does not see users or groups in other sets! This means that the same process cannot authenticate users in other sets afterwards, please be careful with separate authentication service processes.

One-Time Passwords

As usual, one-time passwords must be enabled in kernel config. There you can also specify a limit on the number of one-time passwords per user.

When enabled, rsbac_passwd allows to add them or remove them all. To add a password for joe as admin:

rsbac_passwd -o -n joe

To add one for yourself:

rsbac_passwd -o

To delete all one-time passwords for joe:

rsbac_passwd -O joe

To show the number of unused one-time passwords:

rsbac_passwd -C joe

You can also script password setting, e.g. to create 10 random passwords for joe:

pwgen -1 -N 10 | while read pw
do
  echo "One-Time-PW: $pw"
  echo "$pw
$pw" | rsbac_passwd -o -n joe
done



Table of Contents: RSBAC Handbook
Previous: Service Encapsulation
Next: Logging