grsecurity forums

This seems a little odd to me. Consider this policy:

Code: Select all

role corman sPG
role_transitions admin
...

role default G
role_transitions corman
...


The default role can't transition to the admin role... BUT it can disable gradm altogether!

Code: Select all

[root@c1inf047 ~]# gradm -a admin
Password:
Invalid password.
[root@c1inf047 ~]# gradm -D
Password:
[root@c1inf047 ~]#


It says "Invalid password." but I did type it correctly. Not sure if that's the intended error message; the docs seem to indicate it would instead give a "Permissions denied" error. So that's another problem I see here.

The role transition from default to corman to admin works:

Code: Select all

[root@c1inf047 ~]# gradm -p corman
Password:
[root@c1inf047 ~]# gradm -a admin
Password:
[root@c1inf047 ~]# gradm -D
Password:
[root@c1inf047 ~]#


Is it just me, or should the admin role (or a role with the A flag) be the only role able to disable gradm?

If having any role that can run gradm being able to disable gradm is the intended behavior... I guess I can see why. Wondering if there is a way to restrict the disabling of gradm to a role with the A flag only.

Everything there is working as intended. The nonspecific error message is to help prevent bruteforce discovery of special role names. Hopefully you're using different passwords for the admin role than the RBAC system disabling password. The admin role is only needed to reload RBAC policy, since gradm in any other case won't have access to the policy files or password file to perform a reload.

-Brad

I figured on the password thing; it's just inconsistent with what the policy file that comes with gradm says:

Code: Select all

# role transitions specify which special roles a given role is allowed
# to authenticate to.  This applies to special roles that do not
# require password authentication as well.  If a user tries to
# authenticate to a role that is not within his transition table, he
# will receive a permission denied error


And yes I am using different passwords The password being different should be sufficient to prevent it becoming disabled, was just wondering if there was a way to disallow disabling unless you're admin.