robert at linuxfromscratch.org
Sun Nov 2 21:08:48 PST 2008
When trying to load gradm on boot, as early as possible, I'm running into
The mountfs boot script doesn't mount / read-write until after kernfs, udev,
swap, and checkfs. Gradm learning can't save it's log until filesystems are
mounted writable, and gradm doesn't work without /dev/grsec.
So I think /dev/grsec should become an essential device, created before udev
is loaded, so gradm can be enabled as soon as possible. I
think /etc/rc.d/init.d/grsec should be the first boot script, and if
necessary mount a writable tmpfs for the learning log, maybe under /root.
In particular I want acl rules for /sbin/agetty and /bin/login.
It looks like /bin/login is what needs capabilities. I'm thinking to
make /bin/login executable only by the 'login' group, which agetty and sshd
users are a part of, and give /bin/login CAP_CHOWN, CAP_FOWNER, CAP_FSETID,
CAP_SETGID, and CAP_SETUID, so agetty and sshd users can drop root, except
that normal users also use /bin/login. Filesystem Posix capabilities markings
do not distinguish, yet, between owner, group, and other permissions.
Perhaps /bin/login needs to be copied to /bin/login.caps, to deal with suid
logins. We have exactly the same problem with /bin/dd feeding
klogd... /bin/dd has sys_cap_admin capabilities.
Gradm acl's can enforce these rules, but I also want userland (libcap and file
system permissions) to only give permissions as needed, so that gradm acl's
shouldn't need enforcement, and so logs of acl violations are kept to a
Libcap gives the program the guns, and gradm acl's strip searches the program
to check that they only have the guns they are authorized to have. We need
both... one can not be depended on to replace the other.
I'm curious if there is advice for me on how to generalize the issue
with /bin/login and /bin/dd (for klogd), and loading gradm very early during
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: not available
More information about the hlfs-dev