Things I want to achieve / do with RSBAC:
When you enabled ssh (see below) you may be able to directly login as you or root, but using su or sudo may fail, because you are normally not allowed to setuid (to change) to another user.
When you upgrade your system (especially ssh, login or pam) you may lose complete control over your system. Like I did some seconds ago:
What happened?
How to solve the problem
Because bruehe.schottelius.org is my home webserver / router, I wanted to administrate it from work so I can continue to configure it with rsbac. So the first thing which had/has to run is ssh. ssh was a little bit tricky on my testing machine dosinux, so I took the easy way and allowed sshd to setuid to anybody (this is a security problem, because exploiting sshd could compromise the system now!).
Anyway, we'll get more secure later.
When converting users and groups you have to keep in mind, that you CANNOT convert the old passwords! They are encrypted on disk and rsbac CANNOT (and does not want to, it is not a password cracker) decrypt them. So you have to setup the passwords in RSBAC, after you converted the users.
bruehe2# dmesg -c &>/dev/null bruehe2# rsbac_passwd -n nico New RSBAC password for user nico (uid 1000): Repeat new password: Error: Operation not permitted bruehe2# dmesg 0000007472|rsbac_adf_request(): request MODIFY_PERMISSIONS_DATA, pid 1577, ppid 1078, prog_name rsbac_passwd, prog_file /usr/local/bin/rsbac_passwd, uid 0, target_type USER, tid 1000, attr none, value none, result NOT_GRANTED by MAC FF RC AUTH ACL
passwd: rsbac
group: rsbac
shadow: rsbac
bruehe2# ls -l /home/user [...] drwxr-xr-x 4 nico nico 93 Jul 26 14:55 archiv drwxr-xr-x 5 fabian users 121 Nov 8 14:31 fabian drwxr-xr-x 10 julia users 4096 Aug 11 15:03 julia drwxr-xr-x 56 nico nico 106496 Nov 15 00:36 nico [...]
So far so fine, we've rsbac user management running. Now, to proof it, let us remove the old authentication tokens: Move away
That's how I did it:
bruehe2# mkdir ~/old-unix/ bruehe2# mv /etc/passwd /etc/shadow /etc/group /etc/gshadow ~/old-unix
And now, try to login again. Nice, isn't it?
Now, at the end, do ultimo and remove support for normal authentication:
- Rule Set Based Access Control (RSBAC) - User Management ---> - [*] Exclusive user management
After we finished migrating to in kernel user management, we'll focus on securing the sshd.
bruehe2# dmesg -c bruehe2# /etc/init.d/squid start Starting proxy server: start-stop-daemon: Unable to set uid to root (Operation not permitted) squid. bruehe2# dmesg 0000007633|rsbac_adf_request(): request CHANGE_OWNER, pid 6662, ppid 6657, prog_name start-stop-daem, prog_file /sbin/start-stop-daemon, uid 0, target_type PROCESS, tid 6662, attr owner, value 0, result NOT_GRANTED by AUTH
bruehe2# /usr/sbin/squid bruehe2# dmesg -c 0000007645|rsbac_adf_request(): request READ, pid 6681, ppid 1078, prog_name squid, prog_file /usr/sbin/squid, uid 0, target_type GROUP, tid 13, attr none, value none, result NOT_GRANTED by RC ACL 0000007646|rsbac_adf_request(): request READ, pid 6684, ppid 6682, prog_name squid, prog_file /usr/sbin/squid, uid 0, target_type GROUP, tid 13, attr none, value none, result NOT_GRANTED by RC ACL 0000007647|rsbac_adf_request(): request CHANGE_OWNER, pid 6684, ppid 6682, prog_name squid, prog_file /usr/sbin/squid, uid 0, target_type PROCESS, tid 6684, attr owner, value 13, result NOT_GRANTED by AUTH 0000007648|rsbac_adf_request(): request READ, pid 6686, ppid 6682, prog_name squid, prog_file /usr/sbin/squid, uid 0, target_type GROUP, tid 13, attr none, value none, result NOT_GRANTED by RC ACL 0000007649|rsbac_adf_request(): request CHANGE_OWNER, pid 6686, ppid 6682, prog_name squid, prog_file /usr/sbin/squid, uid 0, target_type PROCESS, tid 6686, attr owner, value 13, result NOT_GRANTED by AUTH
The following will happen, if you did not configure it before:
bruehe2# dmesg -c &>/dev/null bruehe2# screen -l [screen is terminating] bruehe2# dmesg 0000007473|rsbac_adf_request(): request CHANGE_OWNER, pid 1596, ppid 1595, prog_name screen, prog_file /usr/bin/screen, uid 0, target_type PROCESS, tid 1596, attr owner, value 0, result NOT_GRANTED by AUTH 0000007474|rsbac_adf_request(): request CHANGE_OWNER, pid 1594, ppid 1078, prog_name screen, prog_file /usr/bin/screen, uid 0, target_type PROCESS, tid 1594, attr owner, value 0, result NOT_GRANTED by AUTH bruehe2# ls -l /usr/bin/screen -rwxr-sr-x 1 root utmp 306616 Nov 14 2004 /usr/bin/screen
Doing the same as user nico produces the following error:
bruehe2# dmesg 0000007526|rsbac_adf_request(): request CHANGE_OWNER, pid 1630, ppid 1621, prog_name screen, prog_file /usr/bin/screen, uid 1000, target_type PROCESS, tid 1630, attr owner, value 1000, result NOT_GRANTED by AUTH 0000007527|rsbac_adf_request(): request CHANGE_OWNER, pid 1632, ppid 1631, prog_name screen, rog_file /usr/bin/screen, uid 1000, target_type PROCESS, tid 1632, attr owner, value 1000, result NOT_GRANTED by AUTH
This looks like beeing easy to solve: screen wants to setuid to the calling user.
That's it!
# add user ftp, give correct homedir:
rsbac_400@dosinux:~$ rsbac_useradd ftp rsbac_400@dosinux:~$ rsbac_usermod -d /home/server/ftp ftp root@dosinux# mkdir -p /home/server/ftp root@dosinux# chown ftp /home/server/ftp
# now the following will happen:
dosinux# telnet localhost 21 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 500 OOPS: setuid 500 OOPS: child died dosinux# dmesg 0000000663|rsbac_get_attr(): auto-mounting device 00:04 0000000664|rsbac_adf_request(): request CHANGE_OWNER, pid 8308, ppid 8307, prog_name vsftpd, prog_file /usr/sbin/vsftpd, uid 0, remote ip 81.163.253.243, target_type PROCESS, tid 8308, attr owner, value 65534, result NOT_GRANTED by AUTH 0000000665|rsbac_adf_request(): request CHANGE_OWNER, pid 8318, ppid 8317, prog_name vsftpd, prog_file /usr/sbin/vsftpd, uid 0, remote ip 127.0.0.1, target_type PROCESS, tid 8318, attr owner, value 65534, result NOT_GRANTED by AUTH 0000000666|rsbac_adf_request(): request CHANGE_OWNER, pid 8499, ppid 8498, prog_name vsftpd, prog_file /usr/sbin/vsftpd, uid 0, remote ip 127.0.0.1, target_type PROCESS, tid 8499, attr owner, value 65534, result NOT_GRANTED by AUTH
# You need to add at least the capability 65534 (nobody) # I also added capability 2002 (ftp), but did not test if it works without # Retest
dosinux# telnet localhost 21 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 220 Welcome to !eof - dosinux - RSBAC USER ANONYMOUS 331 Please specify the password. PASS ae 500 OOPS: vsftpd: refusing to run with writable anonymous root 500 OOPS: cap_set_proc Connection closed by foreign host. dosinux# chmod u-w /home/server/ftp dosinux# mkdir /home/server/ftp/upload dosinux# chown ftp /home/server/ftp/upload dosinux# dmesg -c 0000000668|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 8529, ppid 8527, prog_name vsftpd, prog_file /usr/sbin/vsftpd, uid 65534, remote ip 127.0.0.1, target_type SCD, tid capability, attr none, value none, result NOT_GRANTED by MAC RC ACL
bruehe2# # this would work, but you really do not want to do that. bruehe2# /usr/sbin/named
bruehe2# dmesg -c bruehe2# /usr/sbin/named -u bind named: setuid(): Operation not permitted bruehe2# dmesg 0000007923|rsbac_adf_request(): request CHANGE_OWNER, pid 7043, ppid 1078, prog_name named, prog_file /usr/sbin/named, uid 0, target_type PROCESS, tid 7043, attr owner, value 103, result NOT_GRANTED by AUTH
bruehe2# /usr/sbin/named -u bind named: capset failed: Operation not permitted bruehe2# dmesg 0000007924|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 7215, ppid 1078, prog_name named, prog_file /usr/sbin/named, uid 103, target_type SCD, tid capability, attr none, value none, result NOT_GRANTED by MAC PM RC ACL
0000009595|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 16229, ppid 27310, prog_name named, prog_file /usr/sbin/named, uid 103, target_type SCD, tid capability, attr none, value none, result NOT_GRANTED by MAC PM RC ACL
bruehe2# named -u bind named: capset failed: Operation not permitted named: capset failed: Operation not permitted bruehe2# dmesg 0000009605|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 19268, ppid 27310, prog_name named, prog_file /usr/sbin/named, uid 0, target_type SCD, tid capability, attr none, value none, result NOT_GRANTED by RC 0000009606|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 19268, ppid 27310, prog_name named, prog_file /usr/sbin/named, uid 103, target_type SCD, tid capability, attr none, value none, result NOT_GRANTED by MAC PM RC ACL
bruehe2# killall named bruehe2# named -u bind named: capset failed: Operation not permitted bruehe2# dmesg -c 0000009613|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 19951, ppid 27310, prog_name named, prog_file /usr/sbin/named, uid 103, target_type SCD, tid capability, attr none, value none, result NOT_GRANTED by MAC PM ACL
0000009630|rsbac_adf_request(): request READ, pid 21155, ppid 27310, prog_name oidentd, prog_file /usr/sbin/oidentd, uid 0, target_type GROUP, tid 65534, attr none, value none, result NOT_GRANTED by RC ACL
bruehe2# /usr/packages/silc-1.0.1/sbin/silcd -f /usr/packages/silc-1.0.1/etc/silcd.conf bruehe2# dmesg 0000009616|rsbac_adf_request(): request READ, pid 20550, ppid 20549, prog_name silcd, prog_file /usr/packages/silc-1.0.1/sbin/silcd, uid 0, target_type GROUP, tid 2000, attr none, value none, result NOT_GRANTED by RC ACL
dosinux# /usr/sbin/apache2 dosinux# dmesg 0000001236|rsbac_adf_request(): request READ, pid 3517, ppid 2735, prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type GROUP, tid 33, attr none, value none, result NOT_GRANTED by RC ACL 0000001237|rsbac_adf_request(): request READ, pid 3518, ppid 3517, prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type GROUP, tid 33, attr none, value none, result NOT_GRANTED by RC ACL 0000001238|rsbac_adf_request(): request CHANGE_OWNER, pid 3519, ppid 3518, prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3519, attr owner, value 33, result NOT_GRANTED by AUTH 0000001239|rsbac_adf_request(): request CHANGE_OWNER, pid 3520, ppid 3518, prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3520, attr owner, value 33, result NOT_GRANTED by AUTH 0000001240|rsbac_adf_request(): request CHANGE_OWNER, pid 3521, ppid 3518, prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3521, attr owner, value 33, result NOT_GRANTED by AUTH 0000001241|rsbac_adf_request(): request CHANGE_OWNER, pid 3522, ppid 3518, prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3522, attr owner, value 33, result NOT_GRANTED by AUTH 0000001242|rsbac_adf_request(): request CHANGE_OWNER, pid 3523, ppid 3518, prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3523, attr owner, value 33, result NOT_GRANTED by AUTH
dosinux# /usr/sbin/apache2 dosinux# dmesg 0000001243|rsbac_adf_request(): request READ, pid 3692, ppid 2718, prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type GROUP, tid 33, attr none, value none, result NOT_GRANTED by RC ACL 0000001244|rsbac_adf_request(): request READ, pid 3693, ppid 3692, prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type GROUP, tid 33, attr none, value none, result NOT_GRANTED by RC ACL dosinux# ps axu | grep apache2 root 3693 0.8 0.9 16744 5436 ? Ss 16:02 0:00 /usr/sbin/apache2 www-data 3694 0.0 0.9 16744 5456 ? S 16:02 0:00 /usr/sbin/apache2 www-data 3695 0.0 0.9 16744 5456 ? S 16:02 0:00 /usr/sbin/apache2 www-data 3696 0.0 0.9 16744 5456 ? S 16:02 0:00 /usr/sbin/apache2 www-data 3697 0.0 0.9 16744 5456 ? S 16:02 0:00 /usr/sbin/apache2 www-data 3698 0.0 0.9 16744 5456 ? S 16:02 0:00 /usr/sbin/apache2 root 3701 0.0 0.0 1520 328 pts/0 R+ 16:02 0:00 grep apache2
Roles should make life easier, currently they are just making my life more complicated. Let's see what we can do with them.
The first problem to solve with Roles is to create a user, which is able to
First of all, I create a user:
rsbac_useradd -d /home/user/user_manager user_manager
rsbac_passwd -n user_manager
mkdir /home/user/user_manager chown user_manager ~user_manager
When you update your system
apt-get update && apt-get-dist-upgrade
in Debian for instance, your RSBAC settings will party be LOST. Why that? Files are replaced and as far as I know RSBAC remembers the file by its inode. The inode will/may change after an update, so you loose the settings.
To save your data you could first backup the settings, then update the sytem and then reply the settings.
The problem I had was that I did a dist-upgrade and then squid was unable to start, because the settings I made with rsbac_fd_menu were lost.