relinquishing role in start scripts

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

relinquishing role in start scripts

Postby windo » Wed Jul 15, 2009 5:04 am

Hi

I have a policy whereby root can not start dead daemons, you need to authenticate to admin role, start the daemon and then aunauthenticate from admin role. This is due to the need to first mount and later unmount crypto keys. This has sparked a few questions.

How exactly does authenticating and unauthenticating special roles work? When I am admin, do all the processes spawned by me also become admin (and processes spawned by those admin processes)?

Do logging out (I'm doing this through ssh), gradm -u and gradm -R have the same effect of removing the admin role from this process and all it's children that inherited the admin role at some point?

Is there a way to be admin, yet spawn a new process that will not inherit the special role? Something like su user -c "command" does (gradm -u -c "rundaemonrun.sh")?

The reason (if not obvious) I'm asking these questions is that at least during start up, the daemon has admin role and should it be successfully attacked during that window, the whole machine would be compromised. One obvious way to lower the risk is to make a new special role that has less privileges than admin, but this solution still has a few problems:

1. The daemon-specific configuration needs to be replicated in both the special role and daemon-specific role.
2. Durning startup, the daemon will still have a set of permissions it should not have, even though it is less than that of admin's (the setup/cleanup actions).

Another solution might be to run gradm -u right before starting the daemon and later gradm -a admin to finish the cleanup, but that is a bit more inconvenient than it needs to be.

So all in all, it can be done, but the methods I know all involve some amount of pain.
windo
 
Posts: 6
Joined: Wed Mar 12, 2008 12:31 pm

Re: relinquishing role in start scripts

Postby spender » Wed Jul 15, 2009 7:52 am

Since there's a specific task you want to perform here, I'd advise setting up an additional special role just for this purpose. You're correct about how special roles work -- processes executed while in the admin role (or any other special role) gain that role. When you gradm -u, the subjects on all the binaries that once had your role (for your particular session, as they're marked with an ID) will be reset to what the policy says their normal subject would be (minus any inheritance or nesting rules). The same happens when you exit the process the started gradm to authenticate to the special role.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron