Page 1 of 1

feature request: gradm_pam with kerberos auth

PostPosted: Mon Mar 21, 2016 3:38 pm
by shogberg
I'm trying to set up special roles for a group of admins using kerberos authentication. This works ok if pam is setup correctly, however it only works from an admin role right now due to gradm not being able to read the kerb config file if you're authenticating from root (or other non admin roles).

kernel: [23703.198490] grsec: From <ipaddr>: (root:U:/sbin/gradm_pam) denied access to hidden file /etc/krb5.conf by /sbin/gradm_pam[gradm_pam:21933] uid/euid:0/0 gid/egid:0/0, parent /sbin/gradm[gradm:21932] uid/euid:0/0 gid/egid:0/0


My C is very rusty, but I believe the following in gradm_adm.c should allow kerberos to work over port 88

Code: Select all

        /* for kerberos */
        proto = gr_getprotobyname("tcp");
        memset(&ip, 0, sizeof (ip));
        ip.low = 88;
        ip.high = 88;
        ip.type = (1U << SOCK_STREAM);
        ip.proto[IPPROTO_IP / 32] |= (1U << (IPPROTO_IP % 32));
        ip.proto[proto->p_proto / 32] |= (1U << (proto->p_proto % 32));
        add_ip_acl(current_subject, GR_IP_CONNECT, &ip);


and

Code: Select all
        ADD_OBJ("/etc/krb5.conf", "r");


--Sean

Re: feature request: gradm_pam with kerberos auth

PostPosted: Thu Mar 24, 2016 5:51 pm
by shogberg
In a proof of concept, I also had to add the following for the gradm policy in gradm_adm.c, as the temporary kerberos tickets get created to /tmp

not sure I love it (or I guess not sure if I should be concerned that /sbin/gradm can make changes to /tmp/krb5cc_pam*), but it functionally works


ADD_OBJ("/tmp", "");
ADD_OBJ("/tmp/krb5cc_pam*", "rwcda");

Re: feature request: gradm_pam with kerberos auth

PostPosted: Thu Mar 24, 2016 6:15 pm
by spender
Thanks, I'll add something similar to the next version of gradm.

-Brad