grsec does not allow gradm -R by default

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

grsec does not allow gradm -R by default

Postby in-grsecurity@baka.org » Sat Jul 31, 2004 1:40 am

With a fairly (very) permissive configuration, gradm -R does not work. I am allowed to gradm -D and gradm -E. I'm not too enthused to try out different options because of the risk of locking myself out. Knowing the proper magic to insert would be great!

-------------------------
not seth> ./gradm -R
Password:
Error changing directory to /etc/grsec
Error: No such file or directory
-------------------------

No syslog messages are produced. This is running in the default role.

This is using the 2.6.7 patch specified in a recent forum post, and a slightly modified cvs-tip gradm2 (modified to allow the analysis to be suggestions, not requirements).

The relevant configuration is:

role super sA {
subject / r {
/ rwcdmxi
+CAP_ALL
+CAP_SYS_RAWIO
}
}

role admin sA {
subject / r {
/ rwcdmx
+CAP_ALL
+CAP_SYS_RAWIO
}
}

role default G {
role_transitions admin super
subject / r {
/ rwcdmx
+CAP_ALL
+CAP_SYS_RAWIO
}

[.....]
}
--Seth Robertson
in-grsecurity@baka.org
 
Posts: 10
Joined: Sat Jul 31, 2004 1:25 am

Postby in-grsecurity@baka.org » Sat Jul 31, 2004 1:34 pm

OK, reading the man page (yes, yes) I discovered that you have to be in admin mode to use gradm -R. However, I believe that restriction is just silly--given you can disable the system using the same password--so I still want to know the rule to insert to allow -R to work.
--Seth Robertson
in-grsecurity@baka.org
 
Posts: 10
Joined: Sat Jul 31, 2004 1:25 am

Postby spender » Tue Aug 03, 2004 1:39 am

The reason is that gradm -R needs access to the configuration files so that it can reload them and re-parse them. You shouldn't be able to modify your configuration unless you are in the admin role anyway (and if you are, you have an extremely poor policy configured, despite the attempts of gradm to get you to use a secure policy).

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby in-grsecurity@baka.org » Wed Aug 04, 2004 10:26 am

spender wrote:The reason is that gradm -R needs access to the configuration files so that it can reload them and re-parse them. You shouldn't be able to modify your configuration unless you are in the admin role anyway (and if you are, you have an extremely poor policy configured, despite the attempts of gradm to get you to use a secure policy).

-Brad


I understand that. My point is that having gradm -R require two levels of authentication while gradm -D only requires one does not make sense. gradm -D is the more dangerous command since gradm -R will only affect the security policy if someone has the necessary rights to modify the policy file, and as you point out if they can do that, you have more serious problems.
--Seth Robertson
in-grsecurity@baka.org
 
Posts: 10
Joined: Sat Jul 31, 2004 1:25 am


Return to RBAC policy development

cron