From: Eric Paris <eparis@redhat.com>
To: LC Bruzenak <lenny@magitekltd.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH 7/7] audit: audit feature to set loginuid immutable
Date: Wed, 10 Jul 2013 15:09:12 -0400 [thread overview]
Message-ID: <1373483352.31358.14.camel@dhcp137-13.rdu.redhat.com> (raw)
In-Reply-To: <51DDAD22.7010507@magitekltd.com>
On Wed, 2013-07-10 at 13:51 -0500, LC Bruzenak wrote:
> On 07/10/2013 01:16 PM, Eric Paris wrote:
> >> > This sounds dangerous. Why would we want to allow this?
> > Immutability was first introduced in kernel 3.3. It wasn't enabled in
> > the kernel config for Fedora until some time much later. It is not
> > present in any enterprise distro that I know of.
> >
> > Before systemd immutability was not possible. If an admin logged in and
> > restarted the sshd daemon the daemon would be running as the admin's
> > loginuid. When a new user tried to log in via ssh it would need to
> > change the loginuid from the admin loginuid to their new loginuid. We
> > had to give sshd CAP_AUDIT_CONTROL in order to switch the loginuid.
> > (ALL loginuid changes required CAP_AUDIT_CONTROL)
> >
> > When systemd came out I added immutability. Since restarting sshd in a
> > systemd world is done by init, which has no loginuid, and thus the new
> > sshd would have no loginuid. Thus a user logging in would be able to
> > set a new loginuid without any permissions.
> >
> > We learned that admins, for various reasons, really do want to be able
> > to launch daemons by hand and not via init/systemd. In particular, we
> > know of many people who launch containers by hand which allows some form
> > of login (usually sshd). With the current loginuid immutable code those
> > people are UNABLE to log in inside the container.
> >
> > This patch series allows a privileged task (one with CAP_AUDIT_CONTROL)
> > the ability to unset their own loginuid. I allows behavior similar to
> > the pre 3.3 kernels. Big different being that the privilege is needed
> > in a helper to UNSET the loginuid, not in the network facing daemon
> > (ssh) to SET the loginuid. The series also allows the 'unsetting'
> > feature to be disabled and locked so it cannot ever be enabled.
>
> Thank you for these details; I really appreciate it.
>
> As far as restarting daemons - I guess in theory this obviates the
> "run_init" command?
> Or only the uid part of the context?
Correct. "systemctl start httpd.service" or "service httpd
start" (which just maps to the systemctl command) no longer need
run_init to deal with the SELinux context of init vs sysadm/unconfined.
> And by breaking apart the unsetting (privileged helper) with the setting
> (daemon itself) this is more securely accomplished?
I believe so. In the RHEL6 way of handling loginuid, we would have to
give CAP_AUDIT_CONTROL inside the container, since sshd inside the
container would need it to allow users to log in (mind you RHEL6 doesn't
have containers, but still)
In this way the helper which creates the container could be given the
priv and CAP_AUDIT_CONTROL would never be granted inside the container
at all. I believe it's a better design any time network facing daemons
have less privilege.
> Chewing on this a bit...regardless, thanks again for the details; it
> helps tremendously.
next prev parent reply other threads:[~2013-07-10 19:09 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-24 16:11 [PATCH 1/7] audit: implement generic feature setting and retrieving Eric Paris
2013-05-24 16:11 ` [PATCH 2/7] selinux: apply selinux checks on new audit message types Eric Paris
2013-05-24 16:11 ` [PATCH 3/7] audit: loginuid functions coding style Eric Paris
2013-05-24 16:11 ` [PATCH 4/7] audit: remove CONFIG_AUDIT_LOGINUID_IMMUTABLE Eric Paris
2013-05-24 16:11 ` [PATCH 5/7] audit: allow unsetting the loginuid (with priv) Eric Paris
2013-05-24 16:11 ` [PATCH 6/7] audit: audit feature to only allow unsetting the loginuid Eric Paris
2013-05-24 16:11 ` [PATCH 7/7] audit: audit feature to set loginuid immutable Eric Paris
2013-07-08 20:34 ` Steve Grubb
2013-07-08 20:51 ` Eric Paris
2013-07-08 21:26 ` Steve Grubb
2013-07-08 21:32 ` Eric Paris
2013-07-09 22:24 ` Steve Grubb
2013-07-09 23:51 ` LC Bruzenak
2013-07-10 13:46 ` Steve Grubb
2013-07-10 14:32 ` LC Bruzenak
2013-07-10 18:16 ` Eric Paris
2013-07-10 18:51 ` LC Bruzenak
2013-07-10 19:02 ` LC Bruzenak
2013-07-10 19:09 ` Eric Paris [this message]
2013-05-24 16:28 ` [PATCH 1/7] audit: implement generic feature setting and retrieving Eric Paris
2013-05-24 20:41 ` William Roberts
2013-05-24 20:56 ` William Roberts
2013-05-30 17:20 ` Richard Guy Briggs
2013-07-08 20:28 ` Steve Grubb
2013-07-08 21:55 ` Eric Paris
2013-07-09 1:18 ` William Roberts
2013-07-09 18:30 ` Steve Grubb
2013-07-09 20:59 ` Eric Paris
2013-07-09 22:08 ` Steve Grubb
2013-11-02 7:26 ` Richard Guy Briggs
2013-11-02 14:44 ` Eric Paris
2014-08-22 21:58 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1373483352.31358.14.camel@dhcp137-13.rdu.redhat.com \
--to=eparis@redhat.com \
--cc=lenny@magitekltd.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.