grsecurity forums

by **patetobg** » Thu Aug 14, 2003 1:41 am

hi , i'm new to grsec and would like to ask :
can set a passwd for a porcess , i mean passwd that is different from gradm passwd or any other paswd?
the idea is:
i want to have sshd,apache,sqiud etc. ruuning protected.
i want to be able to restart them ( kill ) , but i want to set another passwd for the process that kills them ( i think one more passwd will not make my life harder,but will make it more difficult for an attaker to kill my stuff) ....
i think i can set a passwd on a role and this role will only kill stuff.
( how do i set a passd on a role , exept for the login passwd ?)
(i think about user with name kill , with shell /bin/false , in his ACL hi will have only a subject for killall. I want to log like another user, switch to role kill WITH A PASSWD , kill what i want , and then exit)

any ideas ?

by **spender** » Thu Aug 14, 2003 8:30 am

special roles are made for just this purpose.

-Brad

by **patetobg** » Thu Aug 14, 2003 9:40 am

any info on that?
(the doc's i've found do not tell anything,because this is new stuff)

by **spender** » Thu Aug 14, 2003 9:56 am

It should be documented in the sample acl provided with gradm2. You set up a role like:

role specialuser s
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}

subject /special/kill/program o {
objects here
}

then you gradm -P specialuser
to set up a password specifically for this role,
then you can gradm -a specialuser, and exec the program.

-Brad

by **patetobg** » Fri Aug 15, 2003 1:28 am

i did this:

role killer s
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}
subject /etc/rc.d/rc.sshd ol {
/ h
}

then i do :
gradm -P killer
"Setting password for role killer"
"Passwd:XXXXXX"
"Re-enter Password:XXXXXX"
"Password written to /etc/grsec/pw"
then :
gradm -L /tmp/killer.log -E
"grsec: Loaded grsecurity 2.0"
when i type :
gradm -a killer
"Passwd:XXXXXX"
it says:
"grsec: special role killer failure for (gradm:30796 ) uid/euid:0/0,parent (bash:13209) uid/euid:0/0 gid/egid:0/0
Invaild password"
the passwd is ok!
where is the problem?

by **patetobg** » Fri Aug 15, 2003 1:49 am

this is my full acl:
role default
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}

role root uG
role_allow_ip 0.0.0.0/32
role_allow_ip 192.168.0.2/24
subject / {
/ r
/bin x
/etc rx
/etc/grsec h
/etc/shadow h
/etc/passwd h
/etc/ssh h
/lib h
/lib/ld-2.2.5.so x
/lib/libc-2.2.5.so rx
/lib/libdl-2.2.5.so rx
/lib/libtermcap.so.2.0.8 rx
/proc r
/proc/kcore h
/proc/sys h
/sbin h
/sbin/insmod x
/usr h
/usr/bin h
/usr/bin/basename x
/usr/bin/id x
/usr/bin/run-parts r
/usr/sbin h
/usr/sbin/klogd x
/usr/sbin/sshd x
/usr/sbin/syslogd x
/var h
/var/log/secure r
/var/log/sshd r
/var/log/sudo r
/var/run/sshd.pid r
/dev
/dev/null w
/dev/pts rw
/dev/pts/0 rw
/dev/ptmx rw
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/home r
/root
-CAP_ALL
bind disabled
connect disabled
}

subject /bin/bash o {
/
/lib rx
/bin x
/dev
/dev/null w
/dev/pts rw
/dev/pts/0 rw
/dev/ptmx rw
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/etc rx

/etc/shadow h
/home r
/proc r
/proc/kcore h
/proc/sys h
/root r
/root/.bash_history ra
/root/install_instructions/ rw
/sbin x
/tmp
/usr
/usr/libexec h
/usr/libexec/rmt
/usr/share h
/usr/share/cvs/contrib/rcs2log
/usr/X11R6
/usr/bin x
/usr/local
/usr/sbin x
/var
/var/log
/var/spool/mail
-CAP_ALL
bind disabled
connect disabled
}

subject /bin/cp o {
/ h
/bin h
/bin/cp x
/etc h
/etc/ld.so.cache r
/home h
/lib h
/lib/ld-2.2.5.so x
/lib/libc-2.2.5.so rx
/root
/root/install_instructions wc
-CAP_ALL
bind disabled
connect disabled
}

subject /bin/killall o {
/ h
/bin h
/bin/killall x
/etc h
/etc/ld.so.cache r
/lib h
/lib/ld-2.2.5.so x
/lib/libc-2.2.5.so rx
/proc r
/proc/kcore h
/proc/sys h
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}

subject /bin/login o {
/ h
/bin h
/bin/bash x
/bin/login x
/dev h
/dev/log rw
/dev/tty rw
/dev/tty1 w
/dev/tty2 w
/etc r
/etc/ssh h
/etc/grsec h
/lib rx
/usr h
/usr/share/zoneinfo/Europe/Sofia r
/var h
/var/log h
/var/log/faillog rw
/var/log/lastlog rw
/var/log/wtmp w
/var/run h
/var/run/utmp rw
/var/spool h
/var/spool/mail/root
/root
-CAP_ALL
+CAP_CHOWN
+CAP_FOWNER
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
}

subject /bin/ls o {
/
/bin h
/bin/ls x
/lib h
/lib/ld-2.2.5.so x
/lib/libc-2.2.5.so rx
/lib/libpthread-0.9.so rx
/lib/librt-2.2.5.so rx
/usr h
/usr/libexec/rmt
/usr/share/zoneinfo/Europe/Sofia
/var h
/var/log
/etc r
/etc/grsec h
/home
/proc r
/proc/kcore h
/proc/sys h
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}

subject /bin/ps o {
/ h
/bin h
/bin/ps x
/boot h
/boot/System.map-ide-2.4.18 r
/dev h
/dev/pts h
/dev/pts/0
/dev/tty1
/dev/tty2
/dev/tty3
/dev/tty4
/dev/tty5
/dev/tty6
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/lib rx
/usr h
/usr/share/zoneinfo/Europe/Sofia r
/proc r
/proc/kcore h
/proc/sys h
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}

subject /bin/rm o {
/ h
/bin h
/bin/rm x
/etc h
/etc/ld.so.cache r
/lib h
/lib/ld-2.2.5.so x
/lib/libc-2.2.5.so rx
/root
/root/install_instructions wd
-CAP_ALL
bind disabled
connect disabled
}

subject /bin/su o {
/ h
/bin h
/bin/bash x
/bin/su x
/dev
/dev/pts rw
/dev/pts/0 rw
/dev/log rw
/etc r
/etc/ssh h
/etc/grsec h
/lib rx
/proc r
/proc/kcore h
/proc/sys h
/usr h
/usr/share/zoneinfo/Europe/Sofia r
/var h
/var/run/utmp rw
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
}

subject /sbin/agetty o {
/ h
/bin h
/bin/login x
/etc h
/etc/ld.so.cache r
/lib h
/lib/ld-2.2.5.so x
/lib/libc-2.2.5.so rx
/sbin h
/sbin/agetty x
/var h
/var/log/wtmp w
/var/run/utmp rw
/dev
/dev/tty1 rw
/dev/tty2 rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}

subject /sbin/init o {
/ h
/dev h
/dev/console rw
/dev/initctl w
/dev/log rw
/sbin h
/sbin/agetty x
/sbin/init x
/var h
/var/log
/var/log/wtmp w
/var/run/utmp rw
/etc
/etc/inittab r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/etc/passwd h
-CAP_ALL
bind disabled
connect disabled
}

subject /sbin/insmod o {
/ h
/etc/ld.so.cache r
/lib/ld-2.2.5.so x
/lib/libc-2.2.5.so rx
/sbin/insmod x
-CAP_ALL
+CAP_SYS_MODULE
bind disabled
connect disabled
}

subject /usr/bin/biff o {
/ h
/dev
/dev/tty w
/dev/ptmx rw
/dev/pts rw
/dev/pts/0 rw
/etc h
/etc/ld.so.cache r
/lib h
/lib/ld-2.2.5.so x
/lib/libc-2.2.5.so rx
/proc r
/proc/kcore h
/proc/sys h
/usr h
/usr/bin/biff x
-CAP_ALL
+CAP_FSETID
bind disabled
connect disabled
}

subject /usr/bin/elvis o {
/ h
/lib h
/lib/ld-2.2.5.so x
/lib/libc-2.2.5.so rx
/lib/libresolv-2.2.5.so rx
/lib/libtermcap.so.2.0.8 rx
/root h
/root/install_instructions rw
/usr h
/usr/bin h
/usr/bin/elvis x
/usr/share h
/usr/share/elvis-2.1_4 rw
/var h
/var/tmp rwcd
/etc
/etc/ld.so.cache r
/etc/ssh
/etc/ssh/sshd_config rw
/etc/syslog.conf rw
/etc/termcap r
/etc/grsec h
/etc/shadow h
/etc/passwd h
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}

subject /usr/bin/sudo o {
/ h
/bin h
/bin/su x
/dev
/dev/log rw
/dev/tty rw
/dev/ptmx rw
/dev/pts rw
/dev/pts/0 rw
/proc r
/proc/kcore h
/proc/sys h
/etc h
/etc/group r
/etc/passwd r
/etc/shadow r
/etc/sudo/sudoers r
/var h
/var/run/sudo
/var/run/sudo/admin w
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_RESOURCE
bind disabled
connect disabled
}

subject /usr/sbin/crond o {
/ h
/bin h
/bin/bash x
/etc h
/etc/group r
/etc/passwd r
/var h
/var/spool/cron
/var/spool/cron/cron.root.1470 rwcd
/var/spool/cron/cron.root.2398 rwcd
/root
-CAP_ALL
+CAP_SETGID
bind disabled
connect disabled
}

subject /usr/sbin/inetd o {
/
/dev h
/dev/null rw
/etc h
/etc/inetd.conf r
/etc/ld.so.cache r
/etc/nsswitch.conf r
/etc/services r
/lib rx
/usr h
/usr/sbin/inetd x
/var h
/var/run
/var/run/inetd.pid wcd
/proc/kcore h
/proc/sys h
-CAP_ALL
+CAP_SETGID
+CAP_NET_BIND_SERVICE
bind 0.0.0.0/32:113 stream tcp
connect disabled
}

subject /usr/sbin/klogd o {
/
/dev h
/dev/log rw
/etc h
/etc/ld.so.cache r
/lib h
/lib/ld-2.2.5.so x
/lib/libc-2.2.5.so rx
/proc h
/proc/kmsg r
/usr h
/usr/sbin/klogd x
/usr/share/zoneinfo/Europe/Sofia r
/var h
/var/run
/var/run/klogd.pid rwcd
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}

subject /usr/sbin/sshd o {
/
/bin h
/bin/bash
/dev
/dev/log rw
/dev/null rw
/dev/ptmx rw
/dev/pts rw
/dev/pts/0 rw
/dev/tty rw
/dev/urandom r
/etc r
/etc/grsec h
/lib rx
/proc
/proc/kcore h
/proc/sys h
/usr h
/usr/lib/libz.so.1.1.4 rx
/usr/sbin/sshd x
/usr/share/zoneinfo/Europe/Sofia r
/var h
/var/log
/var/log/lastlog rw
/var/log/wtmp w
/var/run
/var/run/sshd.pid wcd
/var/run/utmp rw
/home
/home/admin
/home/admin/.ssh
/home/admin/.ssh/authorized_keys r
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
+CAP_SYS_TTY_CONFIG
bind 10.1.1.221/8:22 stream tcp
bind 192.168.0.1/24:22 stream tcp
bind 0.0.0.0/32:0 dgram ip
connect 0.0.0.0/32:53 dgram udp
connect 127.0.0.1/8:53 dgram udp
}

subject /usr/sbin/syslogd o {
/
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/etc/passwd h
/lib rx
/usr h
/usr/sbin/syslogd x
/usr/share/zoneinfo/Europe/Sofia r
/var h
/var/log a
/var/run
/var/run/syslogd.pid rwcd
/dev
/dev/log wcd
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/proc/kcore h
/proc/sys h
-CAP_ALL
bind disabled
connect disabled
}

role admin u
role_allow_ip 192.168.0.2/24
role_allow_ip 0.0.0.0/32
subject / {
/ h
/bin x
/boot h
/boot/System.map-ide-2.4.18 r
/dev h
/dev/pts/0 w
/dev/tty rw
/dev/tty2 w
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/home h
/home/admin rwcd
/lib rx
/usr h
/usr/bin h
/usr/bin/biff x
/usr/bin/id x
/usr/bin/scp x
/usr/bin/sudo x
/usr/lib h
/usr/lib/libz.so.1.1.4 rx
/usr/share h
/usr/share/zoneinfo/Europe/Sofia r
/var h
/var/spool/mail
/proc r
/proc/kcore h
/proc/sys h
-CAP_ALL
bind disabled
connect disabled
}

subject /usr/bin/sudo o {
/ h
/dev
/dev/tty w
/dev/ptmx rw
/dev/pts rw
/dev/pts/0 rw
/etc h
/etc/ld.so.cache r
/etc/nsswitch.conf r
/etc/passwd r
/etc/shadow r
/lib rx
/proc r
/proc/kcore h
/proc/sys h
/usr h
/usr/bin/sudo x
/usr/share/zoneinfo/Europe/Sofia r
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 dgram ip
connect disabled

}

subject /usr/bin/biff o {
/ h
/dev
/dev/pts w
/dev/tty2 w
/dev/pts/0 w
/etc h
/etc/ld.so.cache r
/lib h
/lib/ld-2.2.5.so x
/lib/libc-2.2.5.so rx
/proc r
/proc/kcore h
/proc/sys h
/usr h
/usr/bin/biff x
+CAP_ALL
bind disabled
connect disabled
}

role killer s
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}
subject /etc/rc.d/rc.sshd ol {
/ h
}

by **spender** » Sat Aug 16, 2003 5:32 am

you need to add:
role_transitions killer
below your role root uG line in your config. This allows root to transition to the killer role.

-Brad

by **patetobg** » Sat Aug 16, 2003 8:01 am

yes i did it!:)
10x :)
a suggestion:
when i run gradm in full learning mode i get this in my acl's:

/proc h
/proc/XXXX r
/proc/yyyy r

the thing is that the pid is different every time so i had to do:
/proc r
/proc/kcore h
/proc/sys h

i may be wrong because i've ran the full mode for mostly 10 mins
but i just noticed ......

another question:
when i gradm -a killer
how can i go back to role root?

by **spender** » Sat Aug 16, 2003 8:17 am

If you ran learning for a little longer, it would reduce the accesses to what you said.

To get back to role root, exit your shell. I'm going to be adding an option to exit a special role without exiting the shell in the official -rc3.

-Brad

by **patetobg** » Sat Aug 16, 2003 9:02 am

10x :)
the reason i ran full learning for so little time is that i'm one enthusiastic linux addict ( and newbie as well ) i just can't wait to see th acl's :)

one more thing :
grsec rulez! :D :D

grsecurity forums

set password on a process or role

set password on a process or role