From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: Re: [PATCH 7/7] audit: audit feature to set loginuid immutable Date: Wed, 10 Jul 2013 13:51:14 -0500 Message-ID: <51DDAD22.7010507@magitekltd.com> References: <1369411910-13777-1-git-send-email-eparis@redhat.com> <1453848.WlUzMfBVNC@x2> <51DCA20F.6020309@magitekltd.com> <1768498.01aSW39qOl@x2> <51DD7065.8080206@magitekltd.com> <1373480160.31358.1.camel@dhcp137-13.rdu.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx15.extmail.prod.ext.phx2.redhat.com [10.5.110.20]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r6AIpKn4029562 for ; Wed, 10 Jul 2013 14:51:20 -0400 Received: from mail-oa0-f47.google.com (mail-oa0-f47.google.com [209.85.219.47]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r6AIpJj6028863 for ; Wed, 10 Jul 2013 14:51:19 -0400 Received: by mail-oa0-f47.google.com with SMTP id m1so10226182oag.34 for ; Wed, 10 Jul 2013 11:51:19 -0700 (PDT) In-Reply-To: <1373480160.31358.1.camel@dhcp137-13.rdu.redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Eric Paris Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On 07/10/2013 01:16 PM, Eric Paris wrote: >> > This sounds dangerous. Why would we want to allow this? > Immutability was first introduced in kernel 3.3. It wasn't enabled in > the kernel config for Fedora until some time much later. It is not > present in any enterprise distro that I know of. > > Before systemd immutability was not possible. If an admin logged in and > restarted the sshd daemon the daemon would be running as the admin's > loginuid. When a new user tried to log in via ssh it would need to > change the loginuid from the admin loginuid to their new loginuid. We > had to give sshd CAP_AUDIT_CONTROL in order to switch the loginuid. > (ALL loginuid changes required CAP_AUDIT_CONTROL) > > When systemd came out I added immutability. Since restarting sshd in a > systemd world is done by init, which has no loginuid, and thus the new > sshd would have no loginuid. Thus a user logging in would be able to > set a new loginuid without any permissions. > > We learned that admins, for various reasons, really do want to be able > to launch daemons by hand and not via init/systemd. In particular, we > know of many people who launch containers by hand which allows some form > of login (usually sshd). With the current loginuid immutable code those > people are UNABLE to log in inside the container. > > This patch series allows a privileged task (one with CAP_AUDIT_CONTROL) > the ability to unset their own loginuid. I allows behavior similar to > the pre 3.3 kernels. Big different being that the privilege is needed > in a helper to UNSET the loginuid, not in the network facing daemon > (ssh) to SET the loginuid. The series also allows the 'unsetting' > feature to be disabled and locked so it cannot ever be enabled. Thank you for these details; I really appreciate it. As far as restarting daemons - I guess in theory this obviates the "run_init" command? Or only the uid part of the context? And by breaking apart the unsetting (privileged helper) with the setting (daemon itself) this is more securely accomplished? Chewing on this a bit...regardless, thanks again for the details; it helps tremendously. LCB -- LC (Lenny) Bruzenak lenny@magitekltd.com