grsecurity forums

[mjbroekman]

I'm trying to set up separate admin roles for my sysadmins using grsec and I'm trying to get PAM authentication working between gradm and ldap. I know the ldap password is correct because sudo is able to authenticate properly. However, when I run gradm -p <role>, it tells me "Invalid password"

The basic process for them would be:
1. Log in as their user
2. sudo to root
3. gradm -p <admin_role>

So for user 'joe':
1. Login as 'joe'
2. sudo -H -s with the password for 'joe'
3. gradm -p joe

I have the 'joe' role configured as a special admin PAM-auth role (role joe sPA).

The grsec errors I see are:

kernel: [3213401.646400] grsec: From ipaddr: (root:U:/sbin/gradm_pam) denied connect() to the unix domain socket /run/nscd/socket by /sbin/gradm_pam[gradm_pam:32492] uid/euid:0/0 gid/egid:0/0, parent /sbin/gradm[gradm:32491] uid/euid:0/0 gid/egid:0/0
kernel: [3213401.646441] grsec: From ipaddr: (root:U:/sbin/gradm_pam) denied connect() to the unix domain socket /run/nscd/socket by /sbin/gradm_pam[gradm_pam:32492] uid/euid:0/0 gid/egid:0/0, parent /sbin/gradm[gradm:32491] uid/euid:0/0 gid/egid:0/0
kernel: [3213401.647877] grsec: From ipaddr: (root:U:/sbin/gradm_pam) denied access to hidden file /etc/ldap.conf by /sbin/gradm_pam[gradm_pam:32492] uid/euid:0/0 gid/egid:0/0, parent /sbin/gradm[gradm:32491] uid/euid:0/0 gid/egid:0/0
kernel: [3213401.648225] grsec: From ipaddr: (root:U:/sbin/gradm_pam) denied access to hidden file /etc/ldap.conf by /sbin/gradm_pam[gradm_pam:32492] uid/euid:0/0 gid/egid:0/0, parent /sbin/gradm[gradm:32491] uid/euid:0/0 gid/egid:0/0

The auth log messages I see are:

gradm_pam: pam_unix(gradm:auth): authentication failure; logname=joe uid=0 euid=0 tty= ruser= rhost= user=joe

I took a look at the gradm-3.0-201405281853.tar.gz source and didn't see permissions for those objects in the gradm_pam ACLs, but I'm not sure if there is more that I need to do to make this work aside from adding ACLs for them.

--Maarten

[spender]

Hi Maarten,

Can you apply the following patch?
https://cvsweb.grsecurity.net/?p=gradm. ... ce32fea1cb

It will be included in the next gradm release.

Thanks,
-Brad

[mjbroekman]

That got me farther, and I ran into issues reading the resolvoconf config as well as another LDAP file. I added the following to the gradm source:

diff --git a/gradm/gradm_adm.c b/gradm-3.0/gradm_adm.c
index 1b4f62f..133fcb2 100644
--- a/gradm/gradm_adm.c
+++ b/gradm-3.0/gradm_adm.c
@@ -208,6 +208,7 @@ add_gradm_pam_acl(struct role_acl *role)
ADD_OBJ("/usr/share/zoneinfo", "r");
ADD_OBJ("/etc/nsswitch.conf", "r");
ADD_OBJ("/etc/ldap.conf", "r");
+ ADD_OBJ("/etc/ldap/ldap.conf", "r");
ADD_OBJ("/dev/urandom", "r");
ADD_OBJ("/proc", "");
ADD_OBJ("/proc/filesystems", "r");
@@ -218,6 +219,7 @@ add_gradm_pam_acl(struct role_acl *role)
ADD_OBJ("/dev/pts", "rw");
ADD_OBJ("/var/run", "");
ADD_OBJ("/run", "");
+ ADD_OBJ("/run/resolvconf/resolv.conf", "r");
ADD_OBJ("/run/nscd/socket", "rw");
ADD_OBJ("/var/run/utmp", "rw");
ADD_OBJ("/var/run/utmpx", "rw");

However, those didn't solve this last issue (which i haven't figured out exactly how to fix):

grsec: From ipaddr: (root:U:/sbin/gradm_pam) denied socket(inet,stream,ip) by /sbin/gradm_pam[gradm_pam:13213] uid/euid:0/0 gid/egid:0/0, parent /sbin/gradm[gradm:13212] uid/euid:0/0 gid/egid:0/0

I tried changing the netlink socket family to 'all', but that didn't work. I also tried adding a chunk of new code for an add_ip_acl, but that didn't seem to work either:

struct ip_acl ip2;
struct protoent *proto2;

proto2 = getprotobyname("ip");
if (proto2 == NULL) {
fprintf(stderr, "Error while parsing /etc/protocols.\n");
exit(EXIT_FAILURE);
}
memset(&ip, 0, sizeof (ip2));
ip2.low = 2049;
ip2.high = 2049;
ip2.type = (1U << SOCK_DGRAM);
ip2.proto[proto2->p_proto / 32] |= (1U << (proto2->p_proto % 32));
add_ip_acl(current_subject, GR_IP_CONNECT, &ip2);
memset(&ip, 0, sizeof (ip2));
add_ip_acl(current_subject, GR_IP_BIND, &ip2);

[spender]

Hi Maarten,

Can you try this patch as well?

https://cvsweb.grsecurity.net/?p=gradm. ... c2926e34fb

The reason your changes didn't work was that IPPROTO_IP wasn't being added.

Thanks,
-Brad

[mjbroekman]

The two of them together worked! Thanks for the help.

[mjbroekman]

So, while pam auth through ldap does work, I am seeing the following errors from gradm_pam in my error log...

Jul 22 16:29:32 kernel: [83937.803380] grsec: From ipaddr: (root:U:/sbin/gradm_pam) denied access to hidden file /etc/gai.conf by /sbin/gradm_pam[gradm_pam:11537] uid/euid:0/0 gid/egid:0/0, parent /sbin/gradm[gradm:11536] uid/euid:0/0 gid/egid:0/0
Jul 22 16:29:32 kernel: [83937.803507] grsec: From ipaddr: (root:U:/sbin/gradm_pam) denied connect() to ldapserver1 port 636 sock type dgram protocol udp by /sbin/gradm_pam[gradm_pam:11537] uid/euid:0/0 gid/egid:0/0, parent /sbin/gradm[gradm:11536] uid/euid:0/0 gid/egid:0/0

I get 2 errors for each ldapserver in the log. Given that 636 is SSL ldap, I'm not sure why udp is being tried though.