gradm

Robert Connolly robert at linuxfromscratch.org
Sun Nov 2 21:08:48 PST 2008


When trying to load gradm on boot, as early as possible, I'm running into 
problems.

The mountfs boot script doesn't mount / read-write until after kernfs, udev, 
swap, and checkfs. Gradm learning can't save it's log until filesystems are 
mounted writable, and gradm doesn't work without /dev/grsec.

So I think /dev/grsec should become an essential device, created before udev 
is loaded, so gradm can be enabled as soon as possible. I 
think /etc/rc.d/init.d/grsec should be the first boot script, and if 
necessary mount a writable tmpfs for the learning log, maybe under /root.

In particular I want acl rules for /sbin/agetty and /bin/login.

It looks like /bin/login is what needs capabilities. I'm thinking to 
make /bin/login executable only by the 'login' group, which agetty and sshd 
users are a part of, and give /bin/login CAP_CHOWN, CAP_FOWNER, CAP_FSETID, 
CAP_SETGID, and CAP_SETUID, so agetty and sshd users can drop root, except 
that normal users also use /bin/login. Filesystem Posix capabilities markings 
do not distinguish, yet, between owner, group, and other permissions. 

Perhaps /bin/login needs to be copied to /bin/login.caps, to deal with suid 
logins. We have exactly the same problem with /bin/dd feeding 
klogd... /bin/dd has sys_cap_admin capabilities.

Gradm acl's can enforce these rules, but I also want userland (libcap and file 
system permissions) to only give permissions as needed, so that gradm acl's 
shouldn't need enforcement, and so logs of acl violations are kept to a 
minimum.

Libcap gives the program the guns, and gradm acl's strip searches the program 
to check that they only have the guns they are authorized to have. We need 
both... one can not be depended on to replace the other.

I'm curious if there is advice for me on how to generalize the issue 
with /bin/login and /bin/dd (for klogd), and loading gradm very early during 
boot.

robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20081103/9d136124/attachment.sig>


More information about the hlfs-dev mailing list