grsecurity forums

I'm trying to set up special roles for a group of admins using kerberos authentication. This works ok if pam is setup correctly, however it only works from an admin role right now due to gradm not being able to read the kerb config file if you're authenticating from root (or other non admin roles).

kernel: [23703.198490] grsec: From <ipaddr>: (root:U:/sbin/gradm_pam) denied access to hidden file /etc/krb5.conf by /sbin/gradm_pam[gradm_pam:21933] uid/euid:0/0 gid/egid:0/0, parent /sbin/gradm[gradm:21932] uid/euid:0/0 gid/egid:0/0

My C is very rusty, but I believe the following in gradm_adm.c should allow kerberos to work over port 88

Code: Select all


        /* for kerberos */
        proto = gr_getprotobyname("tcp");
        memset(&ip, 0, sizeof (ip));
        ip.low = 88;
        ip.high = 88;
        ip.type = (1U << SOCK_STREAM);
        ip.proto[IPPROTO_IP / 32] |= (1U << (IPPROTO_IP % 32));
        ip.proto[proto->p_proto / 32] |= (1U << (proto->p_proto % 32));
        add_ip_acl(current_subject, GR_IP_CONNECT, &ip);


and

Code: Select all

        ADD_OBJ("/etc/krb5.conf", "r");


--Sean

In a proof of concept, I also had to add the following for the gradm policy in gradm_adm.c, as the temporary kerberos tickets get created to /tmp

not sure I love it (or I guess not sure if I should be concerned that /sbin/gradm can make changes to /tmp/krb5cc_pam*), but it functionally works


ADD_OBJ("/tmp", "");
ADD_OBJ("/tmp/krb5cc_pam*", "rwcda");

Thanks, I'll add something similar to the next version of gradm.

-Brad