[Pkg-shadow-devel] patch for su - 2
Alexander Gattin
arg@online.com.ua
Sun, 12 Jun 2005 18:05:41 +0300
Hi!
On Thu, Jun 09, 2005 at 08:01:11PM +0200, Tomasz Kłoczko wrote:
> uid/gid it is part of capabilities (IIRC CAP_SETGID and CAP_SETUID cap).
> Probably look on some example code in libcap will help solve this.
BTW, with grsec (heep://www.grsecurity.net/) CAPs can
be removed/granted on a per-role basis, based upon a
combination of role/executable.
Nicolas uses grsec, and I do as well. But I use only
basic functionality of grsec, like non-executable
stack/data (PaX), chroot restrictions and hardlink
restrictions (please, look at: http://bugs.debian.org/225692
-- it's very useful to know about).
IMHO the hardlink concept is a bit ugly for security
applications. Hardlinks need special handling like in
grsec or openwall, or just assume separating of user
writable partitions like /home and /var from rest of
system.
> BTW: probably it will be good extedn su/sg for allow change uid/gig with
> change avalaible set of capabilities. For example it will be good perform
> su to kind of service account with minimal set of CAP
I agree, this would be useful. But, if you only need
to switch to some predefined set of CAPs for given
service, then grsec's policy for that executable is
what you need. ;)
Also with grsec you can have different set of CAPs for
the service depending on the user/role it is being run
from/under.
If you need to restrict CAPs unpredictably/freely, than
static configs like /etc/grsec2/policy won't help much,
of course -- you will need _run time_ switches.
> and and + CAP_BIND for bind to port <= 1024 (after
> binding to network device is possible drop also this
> CAP).
BTW, with grsec you can allow/restrict a service to
_specific_ port/ports, ;) for example glue bind9 to
53/UDP.
The syntax for IP ACLs:
connect {
<ip>/<netmask>:<low port>–<high port> <type> <proto>
...
}
bind {
<ip>/<netmask>:<low port>–<high port> <type> <proto>
...
}
or:
connect {
disabled
}
bind {
disabled
}
Example for bind9:
bind9 {
0.0.0.0/0:53 dgram udp
}
connect {
0.0.0.0/0:53 dgram udp
0.0.0.0/0:53 stream tcp
}
this is untested yet. ;)
--
WBR,
xrgtn