Unlike all traditional user and group schemes in Linux, the User (and group) Management in RSBAC is completely kernel based. It can be used as a more powerful and much more secure replacement.
Note: This functionality is of course, optional, but recommended. For configuration see User Management Configuration.
The administration of users is enforced with granularity and more flexibility. One of the key features is that you can allow a process to change it's user id only to the last one that has been authenticated.
For example, /bin/login
tries to authenticate user id 1000 and succeed, thus RSBAC will allow changing to this user id and start a session. Without this functionality, if there was a bug in /bin/login
, an attacker could make this program ask for changing to user id 1000 without authenticating successfully, and would not be denied (even with other RSBAC functions enabled, as long as /bin/login
is authorized for user id 1000).
RSBAC also support virtual user sets. User lookups, authentication, etc. can be completely virtualized per process, program or jail. This means, that you can have a different user “bob” accessing your FTP server than the user “bob” having a shell access, even if the FTP server does not include its own code to support virtual users, and with all the previous UM advantages. And you can add one-time passwords for protection against eavesdropping of passwords.
There are several other advantages that you will discover by reading this documentation :)
The traditional Linux user management, specially the common passwd/shadow scheme with PAM, has several security problems:
Now, what is the difference in the new RSBAC User Management?
Group protection is very similar, only the number of settings is smaller.
Starting from version 1.4, RSBAC contains Virtual User Management (VUM), which is an extension to the existing User Management (UM).
Every user id now consists of a 32 Bit virtual set (vset) number and the old fashioned 32 Bit uid. The normal set of users is vset 0. It also exists, if VUM has been turned off in kernel configuration. All other vset numbers can be used as desired, there is no list of known sets.
User id u in vset s is consistently written as s/u. User name n in vset s is written as s/n. To login into set s, use s/username at the login prompt, e.g. 100/joe. All RSBAC tools accept the new notation of users. Every s/u has its own password, its own home directory, its own attributes, etc. RSBAC kernel logging uses the same notation, except that it does not write 0/n, but simply n for backwards compatibility and ease of use.
Every process has a current vset, so its s/u pair is taken from current vset and real uid. Access control, role changes etc. simply take the vset into account.
Vsets can be assigned to programs, e.g. an FTP daemon, to make a service run with a different set of users. Ever wanted to make sure that FTP attackers cannot crack passwords of SSH users? Well, separate the sets of users, done. On the fly, you can also get different access rights depending on the service you used for login.
Alternatively, a vset can also be given as parameter to the rsbac_jail command to start a program in a certain jail. As a general rule, every process with real uid u can change its vset from 0 (default) to another vset s, if it has the right to CHANGE_OWNER to s/u. As usual, this can be limited with AUTH (cap s/u), RC (CHANGE_OWNER right to type of s/u) or ACl (ACL at s/u).
By default, there is no way back to vset 0, and a process with another current vset than 0 cannot see any other vset's users. This restriction can be removed by a kernel config switch, in that case you will have to use access control to protect your vsets from being seen.
To make setups a bit easier, you can define default attribute values for a complete virtual user set s through the special user RSBAC_ALL_USERS, written as s/ALL. This value is used for all users in the set, which have no explicit value for that attribute. As an example, give all users in vset 10000 the RC type 10000 (through 10000/ALL) and only allow AUTHENTICATE to that user type for the FTP daemon running in that vset.
Also, AUTH now supports capabilities all/u1:all/u2 for u1 to u2 in all virtual sets. E.g. set AUTH cap all/0 on rsbac_jail so that it can CHANGE_OWNER to all virtual sets you specify in its command line.
To get your current set used for some user n, use auto/n or simply n. The PAM and NSS libraries always use auto vset, unless you write s/ before the user name or id.
For configuration see Virtual User Management Configuration
With the 1.4 release, RSBAC also supports One-Time-Passwords (OTP). After enabling in the RSBAC kernel config, you can add a limited amount of extra passwords to each user account. All these extra passwords can only be used once.
A typical usage szenario is accessing your mail from an Internet cafe or the quite common “can I have your password for some quick access”. In both cases, revealing your real password to the public is no longer necessary.
For configuration see Virtual User Management Configuration
Table of Contents: RSBAC Handbook
Previous: Architecture and Implementation
Next: Security Modules