Which programs need access /etc/passwd ? Allow mplayer?

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Which programs need access /etc/passwd ? Allow mplayer?

Postby timbgo » Sun May 08, 2016 11:19 am

title: Which programs do need access to /etc/passwd ? Allow mplayer?
---

When I tried playing a dvd (and it played fine, actually at the start there was a tiny audio glitch, yeah, there was, but it played fine), I got this in the logs (onto which I, as most grsec users keep an eye on most of the time):

Code: Select all
May  8 14:00:24 g5n kernel: [244826.061369] grsec: (miro:U:/usr/bin/mplayer)
exec of /usr/bin/mplayer (mplayer dvd://1 ) by /usr/bin/mplayer[bash:26047]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:23117]
uid/euid:1000/1000 gid/egid:1000/1000

May  8 14:00:24 g5n kernel: [244826.132398] grsec: (miro:U:/usr/bin/mplayer)
denied access to hidden file /etc/passwd by /usr/bin/mplayer[mplayer:26047]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:23117]
uid/euid:1000/1000 gid/egid:1000/1000

May  8 14:00:26 g5n kernel: [244828.073638] grsec: (miro:U:/usr/bin/mplayer)
denied mkdir of /Krug-2016040912022026- by /usr/bin/mplayer[mplayer:26047]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:23117]
uid/euid:1000/1000 gid/egid:1000/1000



The Krug-2016040912022026- is just named by the DVD that was being played. But
why would it need to create a tmp dir in the / ?

And why would it need to read the /etc/passwd is what I wonder the most (it is a simple, home-made DVD, without encryption, esp. not to user's password).

And that is what made me check what programs access /etc/passwd, as I really don't see why mplayer should need to access /etc/passwd.

With this command:

# grep -B20 '\/etc\/passwd[[:space:]]\{,5\}r' grsec_160508_g5n_00 | grep -B1 -A20 'subject \/'

(where grsec_160508_g5n_00 is a copy of my last manual tweak to /etc/grsec/policy, see below, I get the output (a few unrelated lines I purged out):

Code: Select all
# Role: root
subject /bin/chown o {
   /            
   /bin            h
   /bin/chown         rx
   /boot            h
   /dev/grsec         h
   /dev/kmem         h
   /dev/log         h
   /dev/mem         h
   /dev/port         h
   /etc            h
   /etc/group         r
   /etc/ld.so.cache      r
   /etc/nsswitch.conf      r
   /etc/passwd         r
--
# Role: root
subject /opt/icedtea-bin-3.0.1/bin/java o {
   /            h
   /Cmn            r
   /Cmn/gX*            rwcd
   /Cmn/m*            rwcd
   /dev            h
   /dev/random         r
   /dev/urandom         r
   /etc            h
   /etc/ld.so.cache      r
   /etc/localtime         r
   /etc/nsswitch.conf      r
   /etc/passwd         r
--
# Role: root
subject /bin/ps o {
   /            h
   /bin            h
   /bin/ps            x
   /dev            h
   /dev/null         rw
   /dev/pts         
   /dev/tty*         
   /etc            h
   /etc/ld.so.cache      r
   /etc/localtime         r
   /etc/nsswitch.conf      r
   /etc/passwd         r
--
# Role: root
subject /bin/tar o {
   /            h
   /Cmn            r
   /Cmn/dLo         rwcd   
   /Cmn/MyVideos      rwcd   
   /Cmn/gX*         rwcd   
   /Cmn/naibdX         rwcd   
   /Cmn/m*            rwcd   
   /Cmn/src*         rwcd   
   /bin            h
   /bin/tar         x
   /bin/gzip         x
   /bin/bzip2         x
   /bin/mkdir         x
   /etc            h
   /etc/group         r
   /etc/localtime         r
   /etc/ld.so.cache      r
   /etc/nsswitch.conf      r
   /etc/passwd         r
--
# Role: root
subject /lib64/dhcpcd/dhcpcd-run-hooks o {
   /            
   /bin            x
   /boot            h
   /dev            
   /dev/grsec         h
   /dev/kmem         h
   /dev/log         h
   /dev/mem         h
   /dev/null         w
   /dev/port         h
   /dev/tty         rw
   /etc            
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/ld.so.cache      r
   /etc/nsswitch.conf      r
   /etc/passwd         r
--
# Role: root
subject /usr/bin/crontab o {
group_transition_allow root nobody

   /            h
   /bin            h
   /bin/bash         x
   /etc            h
   /etc/crontab         r
   /etc/group         r
   /etc/ld.so.cache      r
   /etc/nsswitch.conf      r
   /etc/passwd         r
--
# Role: root
subject /usr/bin/sudo o {
group_transition_allow nobody root

   /            h
   /bin            h
   /bin/bash         xwcd
   /bin/touch         rwc
   /bin/mkdir         x
   /dev            h
   /dev/console         
   /dev/log         rw
   /dev/pts         
   /dev/tty         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow-         h
   /etc/passwd         r
--
# Role: root
subject /usr/sbin/crond o {
user_transition_allow miro
group_transition_allow root nobody miro

   /            h
   /bin            h
   /bin/bash         x
   /dev/log         rw
   /etc            h
   /etc/cron.d         
   /etc/cron.d/prune-cronstamps   r
   /etc/group         r
   /etc/localtime         r
   /etc/passwd         r
--
# Role: miro
subject /bin/ps o {
   /            h
   /bin            h
   /bin/ps            x
   /dev            h
   /dev/null         rw
   /dev/pts         
   /dev/tty6         
   /etc            h
   /etc/ld.so.cache      r
   /etc/localtime         r
   /etc/nsswitch.conf      r
   /etc/passwd         r
--
# Role: miro
subject /bin/tar o {
   /            h
   /Cmn            r
   /Cmn/dLo         rwcd   
   /Cmn/MyVideos      rwcd   
   /Cmn/gX*         rwcd   
   /Cmn/naibdX         rwcd   
   /Cmn/m*            rwcd   
   /Cmn/src*         rwcd   
   /bin            h
   /bin/tar         x
   /bin/gzip         x
   /bin/bzip2         x
   /bin/mkdir         x
   /etc            h
   /etc/group         r
   /etc/localtime         r
   /etc/ld.so.cache      r
   /etc/nsswitch.conf      r
   /etc/passwd         r
--
# Role: miro
subject /opt/icedtea-bin-3.0.1/bin/java o {
   /            h
   /Cmn            r
   /Cmn/gX*            rwcd
   /Cmn/m*            rwcd
   /Cmn/Kaff         rwcd
   /dev            h
   /dev/null         w
   /dev/random         r
   /dev/urandom         r
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/ld.so.cache      r
   /etc/localtime         r
   /etc/nsswitch.conf      r
   /etc/passwd         r
--
# Role: miro
subject /usr/bin/crontab o {
user_transition_allow miro nobody
group_transition_allow miro nobody

   /            h
   /bin            h
   /bin/bash         x
   /etc            h
   /etc/group         r
   /etc/ld.so.cache      r
   /etc/nsswitch.conf      r
   /etc/passwd         r
--
# Role: miro
subject /usr/bin/maildrop o {
user_transition_allow miro

   /            h
   /bin            h
   /bin/bash         x
   /etc            h
   /etc/ld.so.cache      r
   /etc/localtime         r
   /etc/maildroprc         r
   /etc/nsswitch.conf      r
   /etc/passwd         r


Only these programs either got the /etc/passwd to read, either via learning,
or... (who can remember now?, but I couldn't solemny sware I didn't set it,
but it's unlikely)...

My grsec_160508_g5n_00 above (where g5n is the hostname, 160508 is for 2016-06-08):

Code: Select all
# diff grsec_160508_g5n_00 /etc/grsec/policy
#

(that's: empty string)

corresponds to the current active policy.

My questions are:

1) Why would mplayer need to access /etc/passwd ?

2) Which of the other programs that do access /etc/passwd is legitimate to be allowed to do so, they are ( this is just the short listing obtained with command --like the above, just shorter--

# grep -B20 '\/etc\/passwd[[:space:]]\{,5\}r' grsec_160508_g5n_00 | grep -B1 'subject \/'

):

Code: Select all
# Role: root
subject /bin/chown o {
--
# Role: root
subject /opt/icedtea-bin-3.0.1/bin/java o {
--
# Role: root
subject /bin/ps o {
--
# Role: root
subject /bin/tar o {
--
# Role: root
subject /lib64/dhcpcd/dhcpcd-run-hooks o {
--
# Role: root
subject /usr/bin/crontab o {
--
# Role: root
subject /usr/bin/sudo o {
--
# Role: root
subject /usr/sbin/crond o {
--
# Role: miro
subject /bin/ps o {
--
# Role: miro
subject /bin/tar o {
--
# Role: miro
subject /opt/icedtea-bin-3.0.1/bin/java o {
--
# Role: miro
subject /usr/bin/crontab o {
--
# Role: miro
subject /usr/bin/maildrop o {


Particularly as far as mplayer goes (but that is also relevant to very much else) maybe I should note that the episode above with mplayer asking to read /etc/passwd is by a regular mplayer from Gentoo Portage install:

Code: Select all
# equery l mplayer
 * Searching for mplayer ...
[IP-] [  ] media-video/mplayer-1.2.1:0
#

and that install was not tempered with by me the user in any way in the world, that I do know for certain, and can hold my hand on fire and sware on it.

And (very relevant as well), it happened in my Gentoo Air-Gapped box very safely away from anything that smells of internet (other than optical media by which I transfer files to and from a clone machine that is cloned from that Air-Gapped-master, same MBO for-online-no-SOHO machine, this other one that I'm posting this post with).

I thought I would post this. Maybe if there will be replies by more advanced users or higher, it will be useful to others as well.

A DIGRESSION, START (don't read if have no time)
I do believe grsecurity does such a good job, brothers in *nix! The greatest hope left for FOSS Linux it is. If only the Linux Community on the whole would go fully supportive of grsecurity, if only! And then maybe grsecurity return to be fully free, for stable as well (it does not even touches on my use, I always use testing kernels... but I like to spread the word and spread the good programs, of which grsecurity tops the list with me...

But I doubt the FON'ed community would mend their ways... And I support spender and PaX Team in their decisions. The community at large, also the good but silent and passive, are to blame, not the grsecurity/PaX team.
A DIGRESSION, END

And if I figure out more about this (the mplayer needing to read /etc/passwd, in the future), as this is guarrantied to itch me till I do, I'll post what I figure out.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Return to RBAC policy development

cron