[Clip] Root lock out

Brandon Whalen bwhalen at tresys.com
Wed May 6 10:12:48 CDT 2009 

On 5/6/09 10:45 AM, "Julian Onions" <Julian.Onions at nexor.com> wrote:

> Hi Brandon,
>  
> I've been looking through the options, but as it appears its actually su that
> is changing the password (through pam libraries), so the domain sysadm_su_t
> would need quite a lot of privilege - the ability to write shadow for
> instance. I think this also applies to sudo too incidentally.
>  
> It seems when sysadm_su_t run shell_exec_t it transitions into the sysadm_t
> domain, but there may be ways to get it to carry on running in the sysadm_su_t
> domain. 
> You can certainly do this with sudo, for instance
> sudo id -Z
> shows the context as sysadm_sudo_t - so if you change the
> sudo/su_per_role_template macro to allow password updates, it would seem most
> commands run under sudo would also have that ability. Su is slightly safer as
> it appears to always use the shell to execute -c commands, so you get the
> transition out of the sysadm_su_t domain into sysadm_t domain.
>  
> Just glad we stumbled over this before shipping a system!
>  
> Julian. 
> 
It looks like you've just found a little corner case of the policy. On every
system I know of that uses CLIP as it's base no user is ever able to
transition to root. On the systems I know of users execute small setuid
programs that transition to a confined domain to perform a simple task. I'll
look at ways we can implement this in the CLIP policy that will be
acceptable upstream. As I said if you have a patch, I'm willing to review
and possibly accept it.


>>  
>>  
>> 
>> 
>>  From: Brandon Whalen  [mailto:bwhalen at tresys.com]
>> Sent: 06 May 2009 15:35
>> To:  Julian Onions; clip at oss.tresys.com
>> Subject: Re: [Clip] Root lock  out
>> 
>>  
>> Julian,
>> 
>> It appears that the su policy does not  have the permissions to allow users
>> to update their passwords, only to check  them. If you have a patch, I¹d be
>> willing to review and possibly accept it.  Otherwise, I¹ll spend some time
>> today and tomorrow writing one and update our  release once I¹ve tested it
>> all out.
>> 
>> Brandon
>> 
>> 
>> On 5/6/09 9:03  AM, "Julian Onions" <Julian.Onions at nexor.com>  wrote:
>> 
>>  
>>> Anyone have any  ideas on this one that we've just tripped over.
>>> 
>>> After installing a clip  system, we age the password of root to force it to
>>> be changed
>>> chage -d 0  root
>>> However when attempting to su to root now, you are forced to change  your
>>> password, as expected.
>>> However this fails because sysadm_su_t is not  allowed access to crack_db_t
>>> - also doesn't have access to shadow_t and a  number of others things it
>>> needs.
>>> I was wondering therefore how to get  around this.
>>> Also - where does the transition from sysadm_su_t to  sysadm_t happen?
>>> 
>>> Thanks
>>> Julian
>>> 
>>> DISCLAIMER: Privileged or confidential information may be  contained in this
>>> message or within any files transmitted with it.  If  you are not the
>>> intended recipient, kindly destroy the message and notify  the sender by
>>> reply email.  Opinions, conclusions and other information  in this message
>>> that do not relate to the official business of Nexor are  neither given nor
>>> endorsed by it.
>>> 
>>> 
>>>  
>>> 
>>>  _______________________________________________
>>> Clip  mailing list
>>> Clip at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/clip
>> 
>> Brandon Whalen         Tresys Technology
>> v: 443-539-0747        Suite 2100
>> f: 410-953-0494        8840 Stanford Blvd
>> bwhalen at tresys.com    Columbia,  MD 21045
>> 
> 

Brandon Whalen        Tresys Technology
v: 443-539-0747       Suite 2100
f: 410-953-0494       8840 Stanford Blvd
bwhalen at tresys.com    Columbia, MD 21045

More information about the Clip mailing list