gradm

Robert Connolly robert at linuxfromscratch.org
Wed Nov 5 18:28:48 PST 2008


I'm still on the /bin/login problem.

agetty can run as a unprivileged user with simple write permission on some tty 
devices, but it needs to run /bin/login with setuid/setgid capabilities. I 
have only come up with two ideas, and I don't really like either of them.

The first idea is to copy, or hardlink, /bin/login 
to /sbin/login.caps. /sbin/login.caps has the posix capabilities, and agetty 
(and sshd, and any other login daemon) would need to be modified to use this 
login program instead of the one in /bin. /sbin/login.caps would only be 
executable by the 'login' group. I don't like this because every daemon that 
excepts to be running as root would need to be modified, and this might be a 
lot of maintenance (for me), but this is minimal privileges and doesn't 
require grsecurity for enforcement.

Second idea is to give the capabilities to /sbin/agetty, and let /bin/login 
inherit them. This is more practical, but it means that agetty can run any 
program with the setuid/setgid capabilities... it's not minimal privilege, 
but this can be brought to minimal privilege with grsecurity acl's.

The most elegant solution is to have filesystem group permissions on security 
attributes, and from what I read this doesn't exist in any operating system.

klogd's dd pipe of /proc/kmsg has a similar problem, but in this case I think 
it's best, and practical, to hard link /bin/dd to /sbin/klogd-dd, group 
executable, and continue running it like we already do, except with just the 
sys_admin capability. This could even run as a dedicated 'klogd-helper' 
user/group.

robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20081105/db3c3fdf/attachment.sig>


More information about the hlfs-dev mailing list