Hi,
I'm currently writing my very first set of ACL's for LIVE deployment on webservers and database boxes. Hooray !! Maybe now I can get some sleep at night.
Here's the problem:
I am removing the NET_ADMIN capability from the default ACL., it prevents me from bringing up a new interface or adding an alias, however I can still bring down an interface and/or add/remove routes ? GRSec tells me that CAP_NET_ADMIN is denied, but the end result is either a unreachable network or a new route.
I'm running 2.4.20 from kernel.org with the GRS 1.9.8.
Its running on a very basic RedHat 8.0 install.
Any help would be greatly appreciated.
CAP_NET_ADMIN Broken ?
10 posts
• Page 1 of 1
CAP_NET_ADMIN Broken ?
by Debiant » Thu Feb 06, 2003 1:00 pm
- Debiant
- Posts: 6
- Joined: Thu Feb 06, 2003 12:35 pm
by spender » Thu Feb 06, 2003 3:05 pm
I don't believe this is a grsecurity problem, as the capability code is correct. I've just tested your situation on my system here with no problems:
www:/etc/grsec# gradm -E
www:/etc/grsec# ifconfig eth0 down
SIOCSIFFLAGS: Permission denied
www:/etc/grsec# route add 192.168.2.0
SIOCADDRT: Operation not permitted
www:/etc/grsec# gradm -D
Password:
www:/etc/grsec# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
notice no .2.0 entry
www:/etc/grsec# ifconfig
eth0 Link encap:Ethernet HWaddr 00:10:5A:D1:70:75
....
notice eth0 is still up
and in the logs:
grsec: use of CAP_NET_ADMIN denied for (ifconfig:11301) UID(0) EUID(0), parent (bash:11285) UID(0) EUID(0)
grsec: use of CAP_NET_ADMIN denied for (route:11307) UID(0) EUID(0), parent (bash:11285) UID(0) EUID(0)
-Brad
www:/etc/grsec# gradm -E
www:/etc/grsec# ifconfig eth0 down
SIOCSIFFLAGS: Permission denied
www:/etc/grsec# route add 192.168.2.0
SIOCADDRT: Operation not permitted
www:/etc/grsec# gradm -D
Password:
www:/etc/grsec# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
notice no .2.0 entry
www:/etc/grsec# ifconfig
eth0 Link encap:Ethernet HWaddr 00:10:5A:D1:70:75
....
notice eth0 is still up
and in the logs:
grsec: use of CAP_NET_ADMIN denied for (ifconfig:11301) UID(0) EUID(0), parent (bash:11285) UID(0) EUID(0)
grsec: use of CAP_NET_ADMIN denied for (route:11307) UID(0) EUID(0), parent (bash:11285) UID(0) EUID(0)
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
by spender » Thu Feb 06, 2003 3:12 pm
Also, as more proof, here's a snippet of code from net/ipv4/fib_frontend.c:
int ip_rt_ioctl(unsigned int cmd, void *arg)
{
int err;
struct kern_rta rta;
struct rtentry r;
struct {
struct nlmsghdr nlh;
struct rtmsg rtm;
} req;
switch (cmd) {
case SIOCADDRT: /* Add a route */
case SIOCDELRT: /* Delete a route */
if (!capable(CAP_NET_ADMIN))
return -EPERM;
If you did indeed remove the CAP_NET_ADMIN capability a subject that covered /sbin/route, then it would have denied it right there.
-Brad
int ip_rt_ioctl(unsigned int cmd, void *arg)
{
int err;
struct kern_rta rta;
struct rtentry r;
struct {
struct nlmsghdr nlh;
struct rtmsg rtm;
} req;
switch (cmd) {
case SIOCADDRT: /* Add a route */
case SIOCDELRT: /* Delete a route */
if (!capable(CAP_NET_ADMIN))
return -EPERM;
If you did indeed remove the CAP_NET_ADMIN capability a subject that covered /sbin/route, then it would have denied it right there.
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
by Debiant » Fri Feb 07, 2003 5:38 am
Thanks for taking the time to check and reply.
I have run the same test you have run and I get denied in exactly the same way.
However if I use /sbin/ip to add/delete routes I can do so without any errors or warnings.
[root@~ moya]# ip route add 192.168.50.2 via 192.168.10.2 dev eth0
[root@~ moya]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.50.2 192.168.10.2 255.255.255.255 UGH 40 0 0 eth0
192.168.10.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 192.168.10.1 0.0.0.0 UG 40 0 0 eth0
[root@~ moya]# telnet 192.168.50.2 22
Trying 192.168.50.2...
Connected to 192.168.50.2
Escape character is '^]'.
OpenSSH 3.5p1
Protocol mismatch.
Connection closed by foreign host.
[root@~ moya]#
I was wrong when I said I could bring the interface down though. I can not do that, but I can unbind its IP address and remove the interface from the routing table.
Remove all the routing information for the interface: ip addr flush dev eth0
Unbind the ip address from the interafce: ip addr delete 192.168.10.10 dev eth0
Bind a new / different IP address: ip addr add 192.168.10.40 dev eth0
How is this possible ?
I have run the same test you have run and I get denied in exactly the same way.
However if I use /sbin/ip to add/delete routes I can do so without any errors or warnings.
[root@~ moya]# ip route add 192.168.50.2 via 192.168.10.2 dev eth0
[root@~ moya]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.50.2 192.168.10.2 255.255.255.255 UGH 40 0 0 eth0
192.168.10.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 192.168.10.1 0.0.0.0 UG 40 0 0 eth0
[root@~ moya]# telnet 192.168.50.2 22
Trying 192.168.50.2...
Connected to 192.168.50.2
Escape character is '^]'.
OpenSSH 3.5p1
Protocol mismatch.
Connection closed by foreign host.
[root@~ moya]#
I was wrong when I said I could bring the interface down though. I can not do that, but I can unbind its IP address and remove the interface from the routing table.
Remove all the routing information for the interface: ip addr flush dev eth0
Unbind the ip address from the interafce: ip addr delete 192.168.10.10 dev eth0
Bind a new / different IP address: ip addr add 192.168.10.40 dev eth0
How is this possible ?
- Debiant
- Posts: 6
- Joined: Thu Feb 06, 2003 12:35 pm
Feeling queesy now
by Debiant » Fri Feb 07, 2003 10:13 am
The more I look into this more uneasy I feel. 
I have straced the ip command and it appears to use netlink sockets PF_NETLINK to talk to the kernel directly. man (7) netlink. Obviously this is bypassing the capability system and allows root the ability to contol parts of the network he shouldn't be allowed to.
I wouldn't be incredibly suprised if /sbin/tc did the same thing. I'm doing some more investigation and I will post the strace info as soon as I finish.
I have straced the ip command and it appears to use netlink sockets PF_NETLINK to talk to the kernel directly. man (7) netlink. Obviously this is bypassing the capability system and allows root the ability to contol parts of the network he shouldn't be allowed to.
I wouldn't be incredibly suprised if /sbin/tc did the same thing. I'm doing some more investigation and I will post the strace info as soon as I finish.
- Debiant
- Posts: 6
- Joined: Thu Feb 06, 2003 12:35 pm
Excellent
by Debiant » Fri Feb 07, 2003 5:11 pm
Hi Brad,
Thats great. Most excellent.
Thank you for your work on this, and thanks to the whole team for grsecurity.
It is an excellent and invaluable project.
Thank you.
Maybe you should send a notificication post about this to bugtrack ???
Thanks again,
Mark
Thats great. Most excellent.
Thank you for your work on this, and thanks to the whole team for grsecurity.
It is an excellent and invaluable project.
Thank you.
Maybe you should send a notificication post about this to bugtrack ???
Thanks again,
Mark
- Debiant
- Posts: 6
- Joined: Thu Feb 06, 2003 12:35 pm
10 posts
• Page 1 of 1