grsecurity forums


https://forums.grsecurity.net./

Authentication for binaries

https://forums.grsecurity.net./viewtopic.php?f=3&t=120

Page 1 of 1

Authentication for binaries

PostPosted: Tue Aug 20, 2002 8:49 am
by hightower
Hi there,

as Brad wrote in the ACL Documentation:

> Administrative programs such as shutdown or reboot should require
> authentication, instead of giving everyone the capabilities to run them.
Sorry for an eventually stupid question, but how can I do this?
I understand it like someone logged in as root, do "reboot" and then "grsec Password:" ... Am I right?

Or is this completely different and has nothing to do with the ACL subsystem?

ciao, Marc

PostPosted: Wed Aug 21, 2002 9:14 am
by spender
No, what I meant was that for your ACLs, it wouldn't be wise to grant
CAP_SYS_REBOOT to /sbin/shutdown. Because then the attacker logged in as
root can just execute that program, since it does what they want. What you
should do is give the capability to /sbin/shutdown, but make /sbin/shutdown
hidden to everyone, so what you do is use gradm -a to enter admin mode,
which allows you to view /sbin/shutdown, then you run it.

-Brad
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/