Creating a mini-root role

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Creating a mini-root role

Postby chaoticmachinery » Thu Apr 08, 2010 4:58 pm

Hello,

I would like to create a "mini-root" role in which it can do all things but:
1) alter files under /var/log
2) unable to alter grsecurity

Is something like this possible?

If so could you point me in the right direction to create the role? Just looking for an example.

Thanks,

CM
chaoticmachinery
 
Posts: 1
Joined: Thu Apr 08, 2010 4:51 pm

Re: Creating a mini-root role

Postby spender » Thu Apr 08, 2010 6:17 pm

It's not possible if you really mean "do all things." The problem is that even ignoring the problem of kernel exploits, unless you restrict this role considerably, it ends up being equivalent to full root, and thus able to alter grsecurity and edit /var/log. One simple example (though there are dozens or hundreds more): CAP_SYS_MODULE. With this capability, you have arbitrary code execution in the kernel, and so can disable/alter grsecurity, give yourself permission to alter any file, give yourself any of the other capabilities, etc.

So without considerable restriction (like the kinds of restrictions that the RBAC system enforces on non-special roles by default) such a role would almost entirely create a false sense of security.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron