spender's proc acl

Submit your RBAC policies or suggest policy improvements

spender's proc acl

Postby spender » Wed Mar 06, 2002 3:15 pm

Here's my proc acl:

/usr/X11R6/bin/XFree86 {
/ rwx
/var/log/XFree86.0.log rwo
+CAP_SYS_RAWIO
+CAP_SYS_MODULE
}

/usr/sbin/sshd hp {
/ rwx
/etc/shadow ro
/var/log/lastlog rwo
+CAP_NET_BIND_SERVICE
}

/usr/bin/ssh {
/ rwx
+CAP_NET_BIND_SERVICE
}

/usr/bin/wine {
/ rwx
+CAP_SYS_RAWIO
}

/usr/bin/wineserver {
/ rwx
+CAP_SYS_RAWIO
}

/usr/bin/cdp {
/ rwx
+CAP_SYS_RAWIO
}

/bin/su {
/ rwx
/etc/shadow ro
}

/bin/login {
/ rwx
/etc/shadow ro
/var/log/lastlog rwo
}

/etc/rc.d/init.d/halt vk {
/ rwx
+CAP_SYS_ADMIN
+CAP_SYS_RAWIO
+CAP_NET_ADMIN
}
/etc/rc.d/rc vk {
/ rwx
+CAP_SYS_ADMIN
+CAP_NET_ADMIN
}

/usr/sbin/httpd {
/ rwx
+CAP_NET_BIND_SERVICE
}

/usr/lib/postfix/master {
/ rwx
+CAP_NET_BIND_SERVICE
}

/usr/sbin/named {
/ rwx
+CAP_NET_BIND_SERVICE
+CAP_SYS_CHROOT
+CAP_SETPCAP
}

/usr/sbin/proftpd {
/ rwx
+CAP_NET_BIND_SERVICE
}

/usr/sbin/xinetd {
/ rwx
+CAP_NET_BIND_SERVICE
}

/usr/local/bin/snort {
/ rwx
/var/log/snort rwo
}
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Suggestion on suid files

Postby hytron » Fri May 24, 2002 9:05 am

A good suggestion for everyone would be to use a separate partition that will be mounted RO for suid files. This way, you add some extra security since you cannot modify the contents of suid file. I have a /suid partititon that keeps all of my suids and the permissions look like:

drwx--x--x 3 root root 1024 May 10 09:19 suid/

Note that the permissions for root are rwx but that's only for that directory when it was created. Since ro mount option was used, it remains read-only. This way no one can see names for the suids that you have on the system. Well, some known system programs will have symbolic links (like passwd, sendmail, etc.) to /suid, and others that you don't want to expose will be hidden.
hytron
 
Posts: 7
Joined: Mon May 20, 2002 2:20 pm

Postby torne » Thu Aug 22, 2002 8:21 am

The ACL system can already deny the ability to write to any file you like, so you don't need to do this. Just make sure that there is no write access to /bin /sbin /usr/bin /usr/sbin /lib..etc and then no binary can be changed at all, suid or not. =)
torne
 
Posts: 54
Joined: Mon Aug 12, 2002 12:52 pm

Postby spender » Thu Aug 22, 2002 8:39 am

btw don't use the rules above, they were for a very early version of the ACL system.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby marcinek » Thu Aug 22, 2002 5:05 pm

maybe you have some of yours acl's??
marcinek
 
Posts: 7
Joined: Thu Aug 22, 2002 4:37 pm


Return to RBAC policy development