Mailing List Archive: su and newrole do not work from normal user account

su and newrole do not work from normal user account

Sep 9, 2004, 8:43 AM

Post #1 of 8 (4318 views)

Hello,

I performed a stage1 install from the hardened gentoo CD. Installation works fine and without problems.

But with the loaded policy it is not possible to do newrole -r or su - from normal user account.

sysop@access sysop $ newrole -r sysadm_r
Authenticating sysop.
Password:
newrole: incorrect password for sysop

sysop@access sysop $ su -
Password:
su: Authentication failure
Sorry.

Is this the normal behavior of the policy or have i done something wrong?

How can i change this behavior if all is right?

I have tried a different default_contexts file, but the behavior did not change.

I am used to disable root access in sshd so that i have to login as normal user and su to root for administration.

Some settings:

access policy # uname -a
Linux access 2.6.5-hardened-r5 #3 SMP Thu Jun 24 14:33:31 CEST 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux

users:

# seuser
# This file created automatically by seuser on Thu Jul 29 14:52:17 2004

#
# user file

user system_u roles { system_r } ;
user user_u roles { user_r } ;
user root roles { sysadm_r staff_r } ;
user sysop roles { sysadm_r staff_r } ;
user sudevel roles { staff_r user_r } ;
user test roles { user_r staff_r } ;
user operator roles { user_r staff_r };

default_contexts:

system_r:sulogin_t sysadm_r:sysadm_t
system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
system_r:remote_login_t user_r:user_t staff_r:staff_t
system_r:sshd_t user_r:user_t staff_r:staff_t
system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mai$
system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
sysadm_r:sudo_t sysadm_r:sysadm_t
staff_r:sudo_t sysadm_r:sysadm_t staff_r:staff_t
user_r:sudo_t sysadm_r:sysadm_t user_r:user_t

sestatus -v:

access security # sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Policy version: 17

Policy booleans:
user_ping inactive

Process contexts:
Current context: root:sysadm_r:sysadm_t
Init context: system_u:system_r:init_t
/sbin/agetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:sshd_t

File contexts:
Controlling term: root:object_r:sysadm_devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t

Thank you for any help.

Mit freundlichen Grüßen

Peter Büttner

-------------------------------------------------
Personal WLAN GmbH http://www.personalwlan.de
Große Elbstraße 145a
22767 Hamburg

Tel.: 040/888855-25
Fax : 040/888855-55
Mail: pb@personalwlan.de
-------------------------------------------------

--
gentoo-hardened@gentoo.org mailing list

RE: su and newrole do not work from normal user account [ In reply to ]

richard.simpson at wgint

Sep 9, 2004, 9:23 AM

Post #2 of 8 (4215 views)

Permalink

> -----Original Message-----
> From: Peter Buettner [mailto:pb@personalwlan.de]
> Sent: Thursday, September 09, 2004 9:43 AM
> To: gentoo-hardened@lists.gentoo.org
> Subject: [gentoo-hardened] su and newrole do not work from normal user
> account
>
>
> Hello,
>
> I performed a stage1 install from the hardened gentoo CD.
> Installation works fine and without problems.
>
> But with the loaded policy it is not possible to do newrole -r or
> su - from normal user account.
>

I believe you would need to allow the role transition. See staff.te. The
default policy seems to only allow role transitions between staff and
sysadm. Rather than allowing a role transition to/from the unprivileged
user_r, it would be more secure to instead grant additional privileges to an
individual user, or create a new role with privileges applicable for a group
of users. See staff.te for ideas on this.

Richard.

--
gentoo-hardened@gentoo.org mailing list

Re: su and newrole do not work from normal user account [ In reply to ]

method at gentoo

Sep 9, 2004, 9:28 AM

Post #3 of 8 (4213 views)

Permalink

Richard Simpson wrote:

>>-----Original Message-----
>>From: Peter Buettner [mailto:pb@personalwlan.de]
>>Sent: Thursday, September 09, 2004 9:43 AM
>>To: gentoo-hardened@lists.gentoo.org
>>Subject: [gentoo-hardened] su and newrole do not work from normal user
>>account
>>
>>
>>Hello,
>>
>>I performed a stage1 install from the hardened gentoo CD.
>>Installation works fine and without problems.
>>
>>But with the loaded policy it is not possible to do newrole -r or
>>su - from normal user account.
>>
>
>
> I believe you would need to allow the role transition. See staff.te. The
> default policy seems to only allow role transitions between staff and
> sysadm. Rather than allowing a role transition to/from the unprivileged
> user_r, it would be more secure to instead grant additional privileges to an
> individual user, or create a new role with privileges applicable for a group
> of users. See staff.te for ideas on this.
>
> Richard.
>
>
> --
> gentoo-hardened@gentoo.org mailing list
>
>

Role transition is not used anywhere in the Gentoo base policy and we do
not recommend it's use unless you have very specific security goals that
it can address, you are refering to role allows, and you are right,
user_r does not have the ability to change roles to sysadm_r. Only
staff_r can do this.

This is a specific design decision, you do not want your administrators
to be user_r and have a user_home_dir_t home directory, you need to
segment them from unprivileged users to keep their files, processes, etc
seperate. The best example of why this is good is, for example, if a
sysadmin logs in with user_r his ssh agent would be user_tmp_t. This is
obviously a bad thing, if he logs in as staff_t then his ssh agent is
staff_tmp_t which wouldn't be accessible at all by unprivileged users,
even if they could bypass DAC.

Joshua Brindle

--
gentoo-hardened@gentoo.org mailing list

Re: su and newrole do not work from normal user account [ In reply to ]

nixnut at tiscali

Sep 9, 2004, 10:22 AM

Post #4 of 8 (4215 views)

Permalink

Hi Peter,

>Hello,
>
>I performed a stage1 install from the hardened gentoo CD. Installation works fine and without problems.
>
>But with the loaded policy it is not possible to do newrole -r or su - from normal user account.
>
>
>
I see that you added some users to the users file. Did you then compile
the new policy and load it?
And are sysop and the other added users linux users too, i.e. it they
have entries in the /etc/passwd and /etc/shadow files?

regards,
nixnut

--
gentoo-hardened@gentoo.org mailing list

Re: su and newrole do not work from normal user account [ In reply to ]

solar at gentoo

Sep 9, 2004, 10:33 AM

Post #5 of 8 (4210 views)

Permalink

In the future please try to remember to prefix selinux threads with the
subject line of (selinux) or the likes. The hardened project has many
sub-projects and our developmnet time is a precious thing.

The same would and should apply for the (grsec) & (rsbac) users.

thanks in advance.

On Thu, 2004-09-09 at 11:43, Peter Buettner wrote:
> Hello,
>
> I performed a stage1 install from the hardened gentoo CD. Installation works fine and without problems.
>
> But with the loaded policy it is not possible to do newrole -r or su - from normal user account.
>
>
> sysop@access sysop $ newrole -r sysadm_r
> Authenticating sysop.
> Password:
> newrole: incorrect password for sysop
>
> sysop@access sysop $ su -
> Password:
> su: Authentication failure
> Sorry.
>
> Is this the normal behavior of the policy or have i done something wrong?
>
> How can i change this behavior if all is right?
>
> I have tried a different default_contexts file, but the behavior did not change.
>
> I am used to disable root access in sshd so that i have to login as normal user and su to root for administration.
>
> Some settings:
>
> access policy # uname -a
> Linux access 2.6.5-hardened-r5 #3 SMP Thu Jun 24 14:33:31 CEST 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
>
> users:
>
> # seuser
> # This file created automatically by seuser on Thu Jul 29 14:52:17 2004
>
> #
> # user file
>
> user system_u roles { system_r } ;
> user user_u roles { user_r } ;
> user root roles { sysadm_r staff_r } ;
> user sysop roles { sysadm_r staff_r } ;
> user sudevel roles { staff_r user_r } ;
> user test roles { user_r staff_r } ;
> user operator roles { user_r staff_r };
>
> default_contexts:
>
> system_r:sulogin_t sysadm_r:sysadm_t
> system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
> system_r:remote_login_t user_r:user_t staff_r:staff_t
> system_r:sshd_t user_r:user_t staff_r:staff_t
> system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mai$
> system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
> staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
> sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
> user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
> sysadm_r:sudo_t sysadm_r:sysadm_t
> staff_r:sudo_t sysadm_r:sysadm_t staff_r:staff_t
> user_r:sudo_t sysadm_r:sysadm_t user_r:user_t
>
>
> sestatus -v:
>
> access security # sestatus -v
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Policy version: 17
>
> Policy booleans:
> user_ping inactive
>
> Process contexts:
> Current context: root:sysadm_r:sysadm_t
> Init context: system_u:system_r:init_t
> /sbin/agetty system_u:system_r:getty_t
> /usr/sbin/sshd system_u:system_r:sshd_t
>
> File contexts:
> Controlling term: root:object_r:sysadm_devpts_t
> /etc/passwd system_u:object_r:etc_t
> /etc/shadow system_u:object_r:shadow_t
> /bin/bash system_u:object_r:shell_exec_t
> /bin/login system_u:object_r:login_exec_t
> /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
> /sbin/agetty system_u:object_r:getty_exec_t
> /sbin/init system_u:object_r:init_exec_t
> /usr/sbin/sshd system_u:object_r:sshd_exec_t
> /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
> /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
>
>
> Thank you for any help.
>
>
>
> Mit freundlichen Grüßen
>
> Peter Büttner
>
>
> -------------------------------------------------
> Personal WLAN GmbH http://www.personalwlan.de
> Große Elbstraße 145a
> 22767 Hamburg
>
> Tel.: 040/888855-25
> Fax : 040/888855-55
> Mail: pb@personalwlan.de
> -------------------------------------------------
>
>
>
>
>
>
>
>
>
> --
> gentoo-hardened@gentoo.org mailing list
--
Ned Ludd <solar@gentoo.org>
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer

Re: su and newrole do not work from normal user account [ In reply to ]

pb at personalwlan

Sep 11, 2004, 4:59 AM

Post #6 of 8 (4228 views)

Permalink

On Thu, 09 Sep 2004 12:28:23 -0400
Joshua Brindle <method@gentoo.org> wrote:

> Richard Simpson wrote:
>
> >>-----Original Message-----
> >>From: Peter Buettner [mailto:pb@personalwlan.de]
> >>Sent: Thursday, September 09, 2004 9:43 AM
> >>To: gentoo-hardened@lists.gentoo.org
> >>Subject: [gentoo-hardened] su and newrole do not work from normal user
> >>account
> >>
> >>
> >>Hello,
> >>
> >>I performed a stage1 install from the hardened gentoo CD.
> >>Installation works fine and without problems.
> >>
> >>But with the loaded policy it is not possible to do newrole -r or
> >>su - from normal user account.
> >>
> >
> >
> > I believe you would need to allow the role transition. See staff.te. The
> > default policy seems to only allow role transitions between staff and
> > sysadm. Rather than allowing a role transition to/from the unprivileged
> > user_r, it would be more secure to instead grant additional privileges to an
> > individual user, or create a new role with privileges applicable for a group
> > of users. See staff.te for ideas on this.
> >
> > Richard.
> >
> >
> > --
> > gentoo-hardened@gentoo.org mailing list
> >
> >
>
> Role transition is not used anywhere in the Gentoo base policy and we do
> not recommend it's use unless you have very specific security goals that
> it can address, you are refering to role allows, and you are right,
> user_r does not have the ability to change roles to sysadm_r. Only
> staff_r can do this.

My problem is that staff_r can't do so.

Last login: Fri Sep 10 13:59:22 2004 from thor.personalwlan.de
sysop@access sysop $ id
uid=1000(sysop) gid=100(users) groups=10(wheel),100(users) context=sysop:staff_r:staff_t

sysop@access sysop $ su -
Password:
su: Authentication failure
Sorry.

sysop@access sysop $ newrole -r sysadm_r
Authenticating sysop.
Password:
newrole: incorrect password for sysop

Peter Büttner

> This is a specific design decision, you do not want your administrators
> to be user_r and have a user_home_dir_t home directory, you need to
> segment them from unprivileged users to keep their files, processes, etc
> seperate. The best example of why this is good is, for example, if a
> sysadmin logs in with user_r his ssh agent would be user_tmp_t. This is
> obviously a bad thing, if he logs in as staff_t then his ssh agent is
> staff_tmp_t which wouldn't be accessible at all by unprivileged users,
> even if they could bypass DAC.
>
> Joshua Brindle
>
> --
> gentoo-hardened@gentoo.org mailing list
>

--
gentoo-hardened@gentoo.org mailing list

Re: su and newrole do not work from normal user account [ In reply to ]

pb at personalwlan

Sep 11, 2004, 5:09 AM

Post #7 of 8 (4214 views)

Permalink

Hello nixnut,

for some reason i didn't get your posting from the list so i got it from the archive.

>Hi Peter,

>>Hello,
>>
>>I performed a stage1 install from the hardened gentoo CD. Installation >>works fine and without problems.
>>
>>But with the loaded policy it is not possible to do newrole -r or su - >>from normal user account.
>>
>>
>>
>I see that you added some users to the users file. Did you then compile >
>the new policy and load it?

Yes.

>And are sysop and the other added users linux users too, i.e. it they
>have entries in the /etc/passwd and /etc/shadow files?

Yes, they have.

>regards,
>nixnut

>--
>gentoo-hardened@gentoo.org mailing list

--
gentoo-hardened@gentoo.org mailing list

Re: su and newrole do not work from normal user account [ In reply to ]

pebenito at gentoo

Sep 11, 2004, 8:55 AM

Post #8 of 8 (4216 views)

Permalink

On Sat, 2004-09-11 at 07:59, Peter Buettner wrote:
> Last login: Fri Sep 10 13:59:22 2004 from thor.personalwlan.de
> sysop@access sysop $ id
> uid=1000(sysop) gid=100(users) groups=10(wheel),100(users) context=sysop:staff_r:staff_t
>
> sysop@access sysop $ su -
> Password:
> su: Authentication failure
> Sorry.
>
> sysop@access sysop $ newrole -r sysadm_r
> Authenticating sysop.
> Password:
> newrole: incorrect password for sysop

Two things. Only sysadm_r is allowed to su in the default Gentoo
policy. If you want others to su, you need to add su_domain(staff),
etc. In the above examples, you're in permissive since the user can
su. Therefore SELinux isn't shouldn't be denying any of that stuff, so
I'm guessing its a PAM problem.

--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243

Mailing List Archive

Attached Files:

Attached Files: