feature request: gradm_pam with kerberos auth

Discuss and suggest new grsecurity features

feature request: gradm_pam with kerberos auth

Postby shogberg » Mon Mar 21, 2016 3:38 pm

I'm trying to set up special roles for a group of admins using kerberos authentication. This works ok if pam is setup correctly, however it only works from an admin role right now due to gradm not being able to read the kerb config file if you're authenticating from root (or other non admin roles).

kernel: [23703.198490] grsec: From <ipaddr>: (root:U:/sbin/gradm_pam) denied access to hidden file /etc/krb5.conf by /sbin/gradm_pam[gradm_pam:21933] uid/euid:0/0 gid/egid:0/0, parent /sbin/gradm[gradm:21932] uid/euid:0/0 gid/egid:0/0


My C is very rusty, but I believe the following in gradm_adm.c should allow kerberos to work over port 88

Code: Select all

        /* for kerberos */
        proto = gr_getprotobyname("tcp");
        memset(&ip, 0, sizeof (ip));
        ip.low = 88;
        ip.high = 88;
        ip.type = (1U << SOCK_STREAM);
        ip.proto[IPPROTO_IP / 32] |= (1U << (IPPROTO_IP % 32));
        ip.proto[proto->p_proto / 32] |= (1U << (proto->p_proto % 32));
        add_ip_acl(current_subject, GR_IP_CONNECT, &ip);


and

Code: Select all
        ADD_OBJ("/etc/krb5.conf", "r");


--Sean
Last edited by shogberg on Thu Mar 24, 2016 5:52 pm, edited 1 time in total.
shogberg
 
Posts: 2
Joined: Mon Dec 14, 2015 7:52 pm

Re: feature request: gradm_pam with kerberos auth

Postby shogberg » Thu Mar 24, 2016 5:51 pm

In a proof of concept, I also had to add the following for the gradm policy in gradm_adm.c, as the temporary kerberos tickets get created to /tmp

not sure I love it (or I guess not sure if I should be concerned that /sbin/gradm can make changes to /tmp/krb5cc_pam*), but it functionally works


ADD_OBJ("/tmp", "");
ADD_OBJ("/tmp/krb5cc_pam*", "rwcda");
shogberg
 
Posts: 2
Joined: Mon Dec 14, 2015 7:52 pm

Re: feature request: gradm_pam with kerberos auth

Postby spender » Thu Mar 24, 2016 6:15 pm

Thanks, I'll add something similar to the next version of gradm.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity development

cron