grsecurity forums

Skip to content

sshd ACL

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

sshd ACL

Postby phreek » Fri May 23, 2008 7:42 pm

hi
im trying to setup some ACLs and i get this when i enable RBAC and i cant ssh into the box

May 23 18:33:49 prometheus grsec: From 69.31.133.178: (root:U:/usr/sbin/sshd) change to gid 22 denied for /usr/sbin/sshd[sshd:22374] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:22373] uid/euid:0/0 gid/egid:0/0

whats this "change to gid 22 denied" stuff ?

Thanks
phreek
 
Posts: 2
Joined: Fri May 23, 2008 7:37 pm
Top

Re: sshd ACL

Postby phreek » Fri May 23, 2008 7:44 pm

here is my subject for it , in the ACL for user root

subject /usr/sbin/sshd op {
user_transition_allow root
group_transition_allow root

/
/bin h
/bin/bash
/dev h
/dev/log rw
/dev/null rw
/dev/ptmx rw
/dev/pts rw
/dev/urandom r
/etc r
/etc/grsec h
/etc/localtime r
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/usr h
/usr/lib
/usr/lib/libcrypto.so.0.9.8 rx
/usr/lib/libssl.so.0.9.8 rx
/usr/sbin
/usr/sbin/sshd x
/var h
/var/empty
/var/log
/var/log/lastlog rw
/var/log/wtmp w
/var/run
/var/run/sshd.pid wd
/var/run/utmp rw
/lib rx
/proc
/proc/sys/kernel/ngroups_max r
/proc/kcore h
/proc/bus h
/sys h
-CAP_ALL
+CAP_CHOWN
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
+CAP_NET_ADMIN
+CAP_SYS_RESOURCE
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
bind 0.0.0.0/32:0 dgram ip
bind 0.0.0.0/32:0 stream tcp
connect 0.0.0.0/0:22 stream dgram udp tcp
connect 0.0.0.0/0:6969 stream dgram udp tcp
connect 127.0.0.1/32:53 dgram udp
}

and the subject for it on user sshd
prometheus roles # cat sshd
role_allow_ip 0.0.0.0/0
subject / {
/ h
/var h
/var/empty rw
/etc h
/etc/localtime r
-CAP_ALL
bind disabled
connect disabled
}
phreek
 
Posts: 2
Joined: Fri May 23, 2008 7:37 pm
Top

Re: sshd ACL

Postby cormander » Sat May 24, 2008 4:11 am

What's the output of this on your system:

grep :22: /etc/passwd
grep :22: /etc/group

It's likely that sshd is trying to setgid to whatever gid 22 is on your system (sshd user?) via the privilege separation option in openssh.
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm
Top

Re: sshd ACL

Postby gtatur » Wed Jun 04, 2008 3:34 am

Hi,
I get following problem, when I updated to latest stable grsecurity: grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz
My previous sshd ACL was working fine:
subject /usr/sbin/sshd op {
user_transition_allow root
group_transition_allow root
...................
After update I get error:
(root:U:/usr/sbin/sshd) change to gid 65534 denied for /usr/sbin/sshd[sshd:4667] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4666] uid/euid:0/0 gid/egid:0/0

65534 this is gid of group nogroup.
To get rid off these errors, ACL group_transition_allow and user_transition_allow should be changed. In my case this is:
subject /usr/sbin/sshd o {
user_transition_allow root sshd
group_transition_allow root nogroup
......

I guess, in your case, this should be:
subject /usr/sbin/sshd op {
user_transition_allow root sshd
group_transition_allow root sshd

Hope, this should help you.
gtatur
 
Posts: 1
Joined: Wed Jun 04, 2008 3:22 am
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group