Re: AUTH problems

From: ao@morpork.shnet.org (A. Ott)
Subject: Re: AUTH problems
Date: 09 Mar 2000 11:59:00 +0100

Next Article (by Date): Errorcodes.htm ao@morpork.shnet.org (A. Ott)
Previous Article (by Date): AUTH problems Shaun Savage
Top of Thread: AUTH problems Shaun Savage
Articles sorted by: [Date] [Author] [Subject] 

********* ***************** ********** ****  *****   ***** ************
  To subject AUTH problems
  savages@igel.de (Shaun Savage)  wrote:
********** ******************** ******  ********  ******* *************

> I have adjusted the auth on login but I stll get this MAC error
> I get set Auth_may_setuid = 1 for login
>
> Is there any place that explains each setting for a file in idots term
> for me.
> Or a place where the error are list and possiable causes

Sorry, only some old syscall man pages in Documentation/rsbac/man.

> Mar  8 12:20:05 ganja kernel: VFS: Mounted root (ext2 filesystem) readonly.
> Mar  8 12:20:05 ganja kernel: rsbac_init(): Initializing RSBAC v1.0.9b-pre3
> Mar  8 12:20:05 ganja kernel: rsbac_init(): compiled modules: MAC FC SIM PM
> MS FF RC AUTH REG ACL Mar  8 12:20:05 ganja kernel: rsbac_init(): Dev ACI
> could not be read! Mar  8 12:20:05 ganja kernel: rsbac_init(): Registering
> RSBAC proc dir Mar  8 12:20:05 ganja kernel: rsbac_init_pm(): Initializing
> RSBAC: PM subsystem Mar  8 12:20:05 ganja kernel: rsbac_init_pm(): task set
> data could not be read! Mar  8 12:20:05 ganja kernel: rsbac_init_pm(): tp
> set data could not be read! Mar  8 12:20:05 ganja kernel: rsbac_init_pm():
> ru set data could not be read! Mar  8 12:20:05 ganja kernel:
> rsbac_init_pm(): pp set data could not be read! Mar  8 12:20:05 ganja
> kernel: rsbac_init_pm(): task data could not be read! Mar  8 12:20:05 ganja
> kernel: rsbac_init_pm(): class data could not be read! Mar  8 12:20:05 ganja
> kernel: rsbac_init_pm(): necessary accesses data could not be read! Mar  8
> 12:20:05 ganja kernel: rsbac_init_pm(): consent data could not be read! Mar
> 8 12:20:05 ganja kernel: rsbac_init_pm(): tp data could not be read! Mar  8
> 12:20:05 ganja kernel: rsbac_init_pm(): purpose data could not be read! Mar
> 8 12:20:05 ganja kernel: rsbac_init_pm(): ticket data could not be read! Mar
>  8 12:20:05 ganja kernel: rsbac_init_rc(): Initializing RSBAC: RC subsystem
> Mar  8 12:20:05 ganja kernel: rsbac_init_rc(): roles could not be
> sufficiently read, error RSBAC_ENOTFOUND, default role entries might be
> used! Mar  8 12:20:05 ganja kernel: rsbac_init_rc(): types could not be
> sufficiently read, error RSBAC_ENOTFOUND, default type entries might be
> used! Mar  8 12:20:05 ganja kernel: rsbac_init_auth(): Initializing RSBAC:
> AUTH subsystem Mar  8 12:20:05 ganja kernel: rsbac_init_acl(): Initializing
> RSBAC: ACL subsystem Mar  8 12:20:05 ganja kernel: rsbac_init_acl():
> File/Dir ACLs not fully read from dev 03:02, err RSBAC_ENOTFOUND! Mar  8
> 12:20:05 ganja kernel: rsbac_init_acl(): File/Dir default ACL not fully read
> from dev 03:02, err RSBAC_ENOTFOUND, generating standard ACL! Mar  8
> 12:20:05 ganja kernel: rsbac_init_acl(): IPC default ACL not fully read from
> dev 03:02, err RSBAC_ENOTFOUND, generating standard ACL! Mar  8 12:20:05
> ganja kernel: rsbac_init_acl(): SCD ACLs not fully read from dev 03:02, err
> RSBAC_ENOTFOUND, adding standard entries! Mar  8 12:20:05 ganja kernel:
> rsbac_init_acl(): SCD default ACL not fully read from dev 03:02, err
> RSBAC_ENOTFOUND, generating standard ACL! Mar  8 12:20:05 ganja kernel:
> rsbac_init_acl(): Process default ACL not fully read from dev 03:02, err
> RSBAC_ENOTFOUND, generating standard ACL! Mar  8 12:20:05 ganja kernel:
> rsbac_init_acl(): Group membership list not fully read from dev 03:02, err
> RSBAC_ENOTFOUND! Mar  8 12:20:05 ganja kernel: rsbac_init_debug(): adf log
> levels could not be read, using default value 1 Mar  8 12:20:05 ganja
> kernel: rsbac_reg_init(): Initializing RSBAC: REG module registration Mar  8
> 12:20:05 ganja kernel: rsbac_init(): Starting rsbacd thread Mar  8 12:20:05
> ganja kernel: rsbac_init(): Setting RSBAC auto timer Mar  8 12:20:05 ganja
> kernel: rsbac_init(): Ready.

All fine so far.

> Mar  8 12:20:05 ganja kernel: lookup_aci_path_dentry(): device 00:01 root
> dir is invalid!

This is OK, it's a timing thing and harmless. I'd have to slow down mounts  
significantly to avoid it.

> Mar  8 12:20:05 ganja kernel: rsbac_adf_request(): request CHANGE_OWNER,
> caller_pid 369, caller_prog_name identd, caller_uid 0, target-type PROCESS,
> tid 369, attr owner, value 99, result NOT_GRANTED by AUTH

Set AUTH cap 99 for /usr/sbin/in.identd.

> Mar  8 12:20:05 ganja kernel: rsbac_adf_request(): request CHANGE_OWNER,
> caller_pid 387, caller_prog_name atd, caller_uid 0, target-type PROCESS, tid
> 387, attr owner, value 2, result NOT_GRANTED by AUTH

Similar for atd.

> Mar  8 12:20:05 ganja atd[387]: Cannot open /var/run/atd.pid: Permission
> denied

Related.

> Mar  8 12:20:07 ganja inetd[419]: auth/tcp: bind: Address already in use
>
> Mar  8 12:20:07 ganja inetd[419]: extra conf for service linuxconf/tcp
> (skipped) Mar  8 12:20:07 ganja inetd[419]: extra conf for service
> linuxconf/tcp (skipped)

> Mar  8 12:20:10 ganja kernel: rsbac_adf_request():
> request CHANGE_OWNER, caller_pid 497, caller_prog_name httpd, caller_uid 0,
> target-type PROCESS, tid 497, attr owner, value 99, result NOT_GRANTED by
> AUTH

This is all the same for httpd.

AUTH documentation states that *all* setuid is prohibited, unless the  
program/process
- has auth_may_setuid set or
- has an AUTH capability for the target uid

> Mar  8 12:20:12 ganja kernel: rsbac_adf_request(): request
> CHANGE_OWNER, caller_pid 511, caller_prog_name mysqld, caller_uid 0,
> target-type PROCESS, tid 511, attr owner, value 101, result NOT_GRANTED by
> AUTH

Again, for mysql. Set an AUTH cap on mysql executable file for uid 101.

> Mar  8 12:20:32 ganja PAM_pwdb[587]: (login) session opened for user root by
> LOGIN(uid=0) Mar  8 12:20:51 ganja PAM_pwdb[588]: (login) session opened for
> user savages by LOGIN(uid=0) Mar  8 12:20:51 ganja kernel:
> rsbac_adf_request(): request CHANGE_OWNER, caller_pid 684, caller_prog_name
> login, caller_uid 0, target-type PROCESS, tid 684, attr owner, value 500,
> result NOT_GRANTED by MAC Mar  8 12:20:51 ganja PAM_pwdb[588]: (login)
> session closed for user savages

The MAC decision says, setuid must never go upwards. What seclevels do  
root and savages have?

Amon.

--
Please remove second ao for E-Mail reply - no spam please!
## CrossPoint v3.11 ##
-
To unsubscribe from the rsbac list, send a mail to
majordomo@morpork.shnet.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Date): Errorcodes.htm ao@morpork.shnet.org (A. Ott)
Previous Article (by Date): AUTH problems Shaun Savage
Top of Thread: AUTH problems Shaun Savage
Articles sorted by: [Date] [Author] [Subject]

Go to Compuniverse LWGate Home Page.