Additional permissions for /sbin/gradm_pam on SLES

Discuss and suggest new grsecurity features

Additional permissions for /sbin/gradm_pam on SLES

Postby nt1277 » Tue Oct 04, 2011 1:48 pm

Dear developers,

I had to patch gradm_adm.c in order to make it possible to use PAM authentication on SLES11 SP1.

My PAM configuration is "the default" which is mostly pam_unix2:

sles11-64-grsecurity:/etc/pam.d # cat /etc/pam.d/gradm
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session

I had to apply the following patch to gradm-2.2.2-201109151158:

diff -rupN gradm2.orig/gradm_adm.c gradm2/gradm_adm.c
--- gradm2.orig/gradm_adm.c 2011-06-06 05:14:53.000000000 +0200
+++ gradm2/gradm_adm.c 2011-10-04 19:30:17.000000000 +0200
@@ -150,9 +150,11 @@ add_gradm_pam_acl(struct role_acl *role)
add_ip_acl(current_subject, GR_IP_BIND, &ip);

add_proc_object_acl(current_subject, "/", proc_object_mode_conv("h"), GR_FEXIST);
+ add_proc_object_acl(current_subject, "/etc/default/passwd", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/ld.so.cache", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/ld.so.preload", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/localtime", proc_object_mode_conv("r"), GR_FEXIST);
+ add_proc_object_acl(current_subject, "/etc/login.defs", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/protocols", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/passwd", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/shadow", proc_object_mode_conv("r"), GR_FEXIST);
@@ -185,6 +187,8 @@ add_gradm_pam_acl(struct role_acl *role)
add_cap_acl(current_subject, "+CAP_IPC_LOCK", NULL);
add_cap_acl(current_subject, "+CAP_AUDIT_WRITE", NULL);

+ add_sock_family(current_subject, "netlink");
+
return;
}




Which means adding just three lines. Do you consider this being acceptable to grsecurity?
Thank you in advance.
nt1277
 
Posts: 2
Joined: Tue Oct 04, 2011 1:42 pm

Re: Additional permissions for /sbin/gradm_pam on SLES

Postby spender » Wed Oct 05, 2011 9:24 pm

Hi,

Looks good to me. I've just committed it -- it'll appear in the next gradm tarball. Thanks!

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Additional permissions for /sbin/gradm_pam on SLES

Postby nt1277 » Thu Oct 06, 2011 9:52 am

Thank you very much. I hope I didn't open a security hole, and netlink isn't dangerous.
nt1277
 
Posts: 2
Joined: Tue Oct 04, 2011 1:42 pm


Return to grsecurity development

cron