Hi everyone,
I'm new to the grsecurity RBAC system.
I run a grsecurity patched kernel (3.2.55-grsec) on a Debian machine. I downloaded gradm from grsecurity.org and compiled it.
I did this on my machine:
$ sudo gradm -E
then I logged out.
After that, it was impossible for me to log in through ssh (this is a remote machine, so ssh is my only way to login).
Fortunately, a hard reboot solved the problem.
Any idea why this happened and how I can avoid this problem in the future?
Thanks for your help.
Can't login after enabling RBAC system
4 posts
• Page 1 of 1
Can't login after enabling RBAC system
by Pedro » Tue Feb 25, 2014 8:03 am
- Pedro
- Posts: 2
- Joined: Tue Feb 25, 2014 7:34 am
Re: Can't login after enabling RBAC system
by spender » Tue Feb 25, 2014 9:23 am
Hi,
Take a look at your kernel logs before the system reset -- you should find the reason why you were unable to login. I wouldn't recommend running gradm -E from an unprivileged user account with sudo. Log in as root, run gradm -E then immediately authenticate to the admin role. You'll then be able to see what gets denied across the rest of the system (via dmesg) and fix up the policy. Other than that, you could start with full system learning instead.
-Brad
Take a look at your kernel logs before the system reset -- you should find the reason why you were unable to login. I wouldn't recommend running gradm -E from an unprivileged user account with sudo. Log in as root, run gradm -E then immediately authenticate to the admin role. You'll then be able to see what gets denied across the rest of the system (via dmesg) and fix up the policy. Other than that, you could start with full system learning instead.
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: Can't login after enabling RBAC system
by Pedro » Tue Feb 25, 2014 10:14 am
Thanks for your reply.
I found this in my syslog (just changed my hostname, ip address and username)
How could I give sshd access to the required files in /proc, and also .ssh config files in users homes?
I don't understand what's the deal with the CAP_KILL problem.
Also, is there another way to use gradm than authenticate as root and then authenticate as a RBAC admin with a password? This doesn't seem very convenient for automating these tasks.
I found this in my syslog (just changed my hostname, ip address and username)
Feb 25 12:24:46 rrrr kernel: [126452.027292] grsec: From 12.34.56.78: (default:D:/usr/sbin/sshd) denied open of /proc/10405/oom_score_adj for writing by /usr/sbin/sshd[sshd:10405] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:2205] uid/euid:0/0 gid/egid:0/0
Feb 25 12:24:46 rrrr kernel: [126452.207657] grsec: From 12.34.56.78: (default:D:/usr/sbin/sshd) denied open of /home/myusername/.ssh/authorized_keys2 for reading by /usr/sbin/sshd[sshd:10405] uid/euid:0/1000 gid/egid:0/1000, parent /usr/sbin/sshd[sshd:2205] uid/euid:0/0 gid/egid:0/0
Feb 25 12:25:54 rrrr kernel: [126520.483717] grsec: From 12.34.56.78: (default:D:/usr/sbin/sshd) use of CAP_KILL denied for /usr/sbin/sshd[sshd:10405] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:2205] uid/euid:0/0 gid/egid:0/0
How could I give sshd access to the required files in /proc, and also .ssh config files in users homes?
I don't understand what's the deal with the CAP_KILL problem.
Also, is there another way to use gradm than authenticate as root and then authenticate as a RBAC admin with a password? This doesn't seem very convenient for automating these tasks.
- Pedro
- Posts: 2
- Joined: Tue Feb 25, 2014 7:34 am
Re: Can't login after enabling RBAC system
by mnalis » Sun Mar 23, 2014 5:07 pm
How could I give sshd access to the required files in /proc, and also .ssh config files in users homes?
I don't understand what's the deal with the CAP_KILL problem.
you add to your /usr/bin/sshd subject
- Code: Select all
/proc/*/oom_score_adj rw
/home/*/.ssh r
+CAP_KILL
if you want to allow just one (or few) users instead of all, you would use "/home/myusername/.ssh r" instead of "/home/*/.ssh r", of course. CAP_KILL is needed as sshd tries to kill some of it children sometimes (proxycommand, privseparation child etc)
Also, is there another way to use gradm than authenticate as root and then authenticate as a RBAC admin with a password? This doesn't seem very convenient for automating these tasks.
That is intentional.You should not use allmighty admin role for automating tasks (it would simply create another almighy account, which kills the whole point of removing priviileges from almighty "root" you had before grsec). If you need elevated privileges for some tasks, you should use:
- special admin user role - for example for "webadmin" user can change apache configs:
- Code: Select all
role webadmin u
subject /
/etc/apache2 rwcdl
- use subject inheritance - for example
- Code: Select all
/usr/local/sbin/add_virtualhost:
echo blablabla > /etc/apache2/sites-available/$1.conf
/usr/bin/a2ensite $1
/etc/grsec/policy:
subject /usr/local/sbin/add_virtualhost
/etc/apache2 rwcdl
/usr/bin rxi
(in this case /usr/bin/a2ensite too would run with rwcdl access to /etc/apache2 directory) - use non-authenticated role for automation ["N" role flag, along with "s"]
use "gradm -n role_name" to temporarily activate it without any password, and "gradm -u" to deactivate it. You should use role_transitions to define which roles may use that (you don't want to allow all users to change to role which does not require password!!)
In short, admin role should really never be used for regular system operation (much less automation!), but rather for unprecedented maintenance tasks and changing RBAC policy itself (adding new roles, etc).
- mnalis
- Posts: 57
- Joined: Fri Sep 29, 2006 11:23 am
4 posts
• Page 1 of 1