Additional permissions for /sbin/gradm_pam on SLES
Posted: Tue Oct 04, 2011 1:48 pm
Dear developers,
I had to patch gradm_adm.c in order to make it possible to use PAM authentication on SLES11 SP1.
My PAM configuration is "the default" which is mostly pam_unix2:
sles11-64-grsecurity:/etc/pam.d # cat /etc/pam.d/gradm
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
I had to apply the following patch to gradm-2.2.2-201109151158:
diff -rupN gradm2.orig/gradm_adm.c gradm2/gradm_adm.c
--- gradm2.orig/gradm_adm.c 2011-06-06 05:14:53.000000000 +0200
+++ gradm2/gradm_adm.c 2011-10-04 19:30:17.000000000 +0200
@@ -150,9 +150,11 @@ add_gradm_pam_acl(struct role_acl *role)
add_ip_acl(current_subject, GR_IP_BIND, &ip);
add_proc_object_acl(current_subject, "/", proc_object_mode_conv("h"), GR_FEXIST);
+ add_proc_object_acl(current_subject, "/etc/default/passwd", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/ld.so.cache", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/ld.so.preload", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/localtime", proc_object_mode_conv("r"), GR_FEXIST);
+ add_proc_object_acl(current_subject, "/etc/login.defs", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/protocols", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/passwd", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/shadow", proc_object_mode_conv("r"), GR_FEXIST);
@@ -185,6 +187,8 @@ add_gradm_pam_acl(struct role_acl *role)
add_cap_acl(current_subject, "+CAP_IPC_LOCK", NULL);
add_cap_acl(current_subject, "+CAP_AUDIT_WRITE", NULL);
+ add_sock_family(current_subject, "netlink");
+
return;
}
Which means adding just three lines. Do you consider this being acceptable to grsecurity?
Thank you in advance.
I had to patch gradm_adm.c in order to make it possible to use PAM authentication on SLES11 SP1.
My PAM configuration is "the default" which is mostly pam_unix2:
sles11-64-grsecurity:/etc/pam.d # cat /etc/pam.d/gradm
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
I had to apply the following patch to gradm-2.2.2-201109151158:
diff -rupN gradm2.orig/gradm_adm.c gradm2/gradm_adm.c
--- gradm2.orig/gradm_adm.c 2011-06-06 05:14:53.000000000 +0200
+++ gradm2/gradm_adm.c 2011-10-04 19:30:17.000000000 +0200
@@ -150,9 +150,11 @@ add_gradm_pam_acl(struct role_acl *role)
add_ip_acl(current_subject, GR_IP_BIND, &ip);
add_proc_object_acl(current_subject, "/", proc_object_mode_conv("h"), GR_FEXIST);
+ add_proc_object_acl(current_subject, "/etc/default/passwd", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/ld.so.cache", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/ld.so.preload", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/localtime", proc_object_mode_conv("r"), GR_FEXIST);
+ add_proc_object_acl(current_subject, "/etc/login.defs", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/protocols", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/passwd", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/shadow", proc_object_mode_conv("r"), GR_FEXIST);
@@ -185,6 +187,8 @@ add_gradm_pam_acl(struct role_acl *role)
add_cap_acl(current_subject, "+CAP_IPC_LOCK", NULL);
add_cap_acl(current_subject, "+CAP_AUDIT_WRITE", NULL);
+ add_sock_family(current_subject, "netlink");
+
return;
}
Which means adding just three lines. Do you consider this being acceptable to grsecurity?
Thank you in advance.