grsecurity forums

by **axehind** » Wed Aug 06, 2003 5:16 pm

Hello all,

I need to allow users to connect to my box via sshd but not allow them to connect out. What should my acl look like to accomplish this? I'm using grsecurity2, openSSH with ldap authentication using PAM.

Thanks

by **spender** » Thu Aug 07, 2003 8:05 am

If all your users are in a "users" group, just make a role for the group, and in the default subject for it, add:

connect disabled

You'll then need to add IP ACLs for whatever subjects need connect so that the users can log in (sshd for instance).

-Brad

by **axehind** » Thu Aug 07, 2003 9:05 am

Each user has different access. Right now when I try to log in I get this error which I dont understand. It happens even when I give sshd full access to /

Aug 7 12:53:28 ssh2 kernel: grsec: From 10.1.1.201: denied connect to the unix domain socket /dev/log by (sshd:31316) uid/euid:5558/5558 gid/egid:15000/15000, parent (sshd:2100) uid/euid:0/0 gid/egid:0/0

by **spender** » Thu Aug 07, 2003 9:07 am

do you have any roles set up? Take note of the uid and gid of the sshd process in your log and see if you have roles set up for either of them. If you do, you need to add /dev/log rw to the sshd subject in that role.

-Brad

by **axehind** » Thu Aug 07, 2003 9:22 am

I dont understand what you mean by that. Yes the user exists on the system and there is a acl for them. You mean a nested subject or something like that?

by **spender** » Thu Aug 07, 2003 10:23 am

I mean, do you have a line like:

role someuser u

in your /etc/grsec/acl file, where "someuser" is the user on your system with a uid of 5558. If you do, you need to give /dev/log rw access to an sshd subject in that role.

-Brad