Multiple admin roles.

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Multiple admin roles.

Postby getlost » Thu Sep 22, 2011 11:28 pm

Maybe this has been answered already but I could not find any info on it.

I have a local user 'admin' that runs certain crons and processes.
How can I set the role for that user so that it does not conflict with the GRSEC admin user role?

Thank you
Last edited by getlost on Mon Sep 26, 2011 3:43 pm, edited 1 time in total.
getlost
 
Posts: 4
Joined: Thu Sep 22, 2011 10:31 pm

Re: Multiple admin users.

Postby spender » Fri Sep 23, 2011 4:00 am

The names for special roles are arbitrary and never matched against real usernames on the system. In logs they are also marked as a special role. Though a special role with name "admin" is auto-added for use with the full learning system, there's no requirement elsewhere that an admin special role exist, or that it be named "admin".

Let me know if the RBAC system though is preventing you from having a user role with name "admin." That would be a bug and simple to fix.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Multiple admin users.

Postby getlost » Fri Sep 23, 2011 11:46 am

This is what I have in my policy. Maybe I am doing something dumb here (most likely)

role admin sA
subject / rvka
/ rwcdmlxi

role shutdown sARG
subject / rvka
/
/dev
/dev/urandom r
/dev/random r
/etc r
/bin rx
/sbin rx
/lib rx
/lib64 rx
/usr rx
/proc r
$grsec_denied
-CAP_ALL
connect disabled
bind disabled

role default
subject /
/ h
-CAP_ALL
connect disabled
bind disabled
.
.
.

role admin u
role_allow_ip 192.168.0.47/32
subject / {
/ h
/bin x
/dev h
/dev/pts rw
/dev/tty rw
/etc r
/etc/grsec h
.
.
.

When running gradm -C I get

[root@localhost ~]# gradm -C
The admin role has been marked as a persistent role. This severely compromises security as any process restarted via an admin role will retain the admin role indefinitely.
Please create a specific role for the handling of system shutdown (the common use case of persistent special roles). The RBAC system will not be allowed to be enabled until this error is fixed.
getlost
 
Posts: 4
Joined: Thu Sep 22, 2011 10:31 pm

Re: Multiple admin users.

Postby getlost » Mon Sep 26, 2011 3:12 pm

So is it possible to have two roles named admin?

one for the GRSEC admin role and one for regular user admin?
getlost
 
Posts: 4
Joined: Thu Sep 22, 2011 10:31 pm

Re: Multiple admin roles.

Postby spender » Tue Sep 27, 2011 9:29 am

Hi,

It's possible, there just existed a bug in gradm that you demonstrated that made it falsely report the user role as a persistent role. It's been fixed in the latest version of gradm. Thanks for the report!

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Multiple admin roles.

Postby getlost » Tue Sep 27, 2011 1:06 pm

Thank you for the fast turn around.

Thank you for all the work put into GRSEC.
getlost
 
Posts: 4
Joined: Thu Sep 22, 2011 10:31 pm


Return to grsecurity support