[Clip] Root lock out
bwhalen at tresys.com
Wed May 6 10:12:48 CDT 2009
On 5/6/09 10:45 AM, "Julian Onions" <Julian.Onions at nexor.com> wrote:
> Hi Brandon,
> I've been looking through the options, but as it appears its actually su that
> is changing the password (through pam libraries), so the domain sysadm_su_t
> would need quite a lot of privilege - the ability to write shadow for
> instance. I think this also applies to sudo too incidentally.
> It seems when sysadm_su_t run shell_exec_t it transitions into the sysadm_t
> domain, but there may be ways to get it to carry on running in the sysadm_su_t
> You can certainly do this with sudo, for instance
> sudo id -Z
> shows the context as sysadm_sudo_t - so if you change the
> sudo/su_per_role_template macro to allow password updates, it would seem most
> commands run under sudo would also have that ability. Su is slightly safer as
> it appears to always use the shell to execute -c commands, so you get the
> transition out of the sysadm_su_t domain into sysadm_t domain.
> Just glad we stumbled over this before shipping a system!
It looks like you've just found a little corner case of the policy. On every
system I know of that uses CLIP as it's base no user is ever able to
transition to root. On the systems I know of users execute small setuid
programs that transition to a confined domain to perform a simple task. I'll
look at ways we can implement this in the CLIP policy that will be
acceptable upstream. As I said if you have a patch, I'm willing to review
and possibly accept it.
>> From: Brandon Whalen [mailto:bwhalen at tresys.com]
>> Sent: 06 May 2009 15:35
>> To: Julian Onions; clip at oss.tresys.com
>> Subject: Re: [Clip] Root lock out
>> It appears that the su policy does not have the permissions to allow users
>> to update their passwords, only to check them. If you have a patch, I¹d be
>> willing to review and possibly accept it. Otherwise, I¹ll spend some time
>> today and tomorrow writing one and update our release once I¹ve tested it
>> all out.
>> On 5/6/09 9:03 AM, "Julian Onions" <Julian.Onions at nexor.com> wrote:
>>> Anyone have any ideas on this one that we've just tripped over.
>>> After installing a clip system, we age the password of root to force it to
>>> be changed
>>> chage -d 0 root
>>> However when attempting to su to root now, you are forced to change your
>>> password, as expected.
>>> However this fails because sysadm_su_t is not allowed access to crack_db_t
>>> - also doesn't have access to shadow_t and a number of others things it
>>> I was wondering therefore how to get around this.
>>> Also - where does the transition from sysadm_su_t to sysadm_t happen?
>>> DISCLAIMER: Privileged or confidential information may be contained in this
>>> message or within any files transmitted with it. If you are not the
>>> intended recipient, kindly destroy the message and notify the sender by
>>> reply email. Opinions, conclusions and other information in this message
>>> that do not relate to the official business of Nexor are neither given nor
>>> endorsed by it.
>>> Clip mailing list
>>> Clip at oss.tresys.com
>> Brandon Whalen Tresys Technology
>> v: 443-539-0747 Suite 2100
>> f: 410-953-0494 8840 Stanford Blvd
>> bwhalen at tresys.com Columbia, MD 21045
Brandon Whalen Tresys Technology
v: 443-539-0747 Suite 2100
f: 410-953-0494 8840 Stanford Blvd
bwhalen at tresys.com Columbia, MD 21045
More information about the Clip