Page 1 of 1

How Gradm protects its own password ?

PostPosted: Thu Nov 06, 2008 10:34 am
by evilangel
Hi all,

After setting up the admin password with gradm:
gradm -P
the file /etc/grsec/pw is generated.
However, this file is readable by root.

Finally, how gradm protects its own secret against corruption ?

Thanks

Re: How Gradm protects its own password ?

PostPosted: Fri Nov 07, 2008 8:24 pm
by spender
With the RBAC system disabled, you have more to worry about than just the /etc/grsec/pw file being readable as root.
When the RBAC system is enabled, however, here are just a few of the ways:
The /etc/grsec/pw file is protected by default when the RBAC system is enabled through enforced policy rules (you won't be able to load a policy if a default subject is able to read /etc/grsec/pw).
Even gradm itself when the RBAC system is enabled is disallowed from accessing anything in /etc/grsec.
Password entry attempts are rate limited and denials are logged.
Modifications to /etc/grsec/pw even by an admin role while the RBAC system is enabled don't affect the current password set that exists in kernel memory.
Checks are made for terminal sniffers before any password prompt is given.
No process started by anyone else logged in as you will be able to ptrace your processes.
/root is enforced to be non-writable by default subjects as well, to prevent tampering with shell configuration (modification of your PATH, etc).

-Brad

Re: How Gradm protects its own password ?

PostPosted: Sun Nov 09, 2008 5:24 pm
by evilangel
Thanks for these precious information.

Re: How Gradm protects its own password ?

PostPosted: Mon Nov 10, 2008 9:59 am
by spender
I should also add the learning mode of the RBAC system will automatically generate policies that keep files in /etc/grsec protected from reading or modification.

-Brad