wiki:experiences:igraltist:jail_cron
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

This is an old revision of the document!


This is the modified cron init-script

 diff -u cron_org cron
 --- cron_org	2008-07-03 04:10:46.000000000 +0200
 +++ cron	2008-07-03 04:12:02.000000000 +0200
 @@ -23,7 +23,7 @@
 case "$1" in
 start)	log_daemon_msg "Starting periodic command scheduler" "crond"
 -        start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron --    $LSBNAMES
 +        run-jail cron start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas   /usr/sbin/cron -- $LSBNAMES
          log_end_msg $?
          ;;
 stop)	log_daemon_msg "Stopping periodic command scheduler" "crond"
 @@ -32,7 +32,7 @@
          ;;
 restart) log_daemon_msg "Restarting periodic command scheduler" "crond" 
          start-stop-daemon --stop --retry 5 --quiet --pidfile /var/run/crond.pid --name cron
 -        start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron --   $LSBNAMES
 +        run-jail cron start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas   /usr/sbin/cron -- $LSBNAMES
          log_end_msg $?
          ;;
  reload|force-reload) log_daemon_msg "Reloading configuration files for periodic command scheduler" "crond"
 <6>0000001181|rsbac_adf_request(): request GET_STATUS_DATA, pid 4479, ppid 4473, prog_name df, prog_file /bin/df, uid 0, remote ip 192.168.1.5, target_type DEV, tid block 08:01, attr none, value none, result NOT_GRANTED by JAIL

Firstly what to do is, add the jail_flag 'allow-ipc-syslog'

 (allow-ipc-syslog)
 ()
 ()
 ()

All services which send data to the syslog need this, if the syslogd is jailed too.

I stop the service /etc/init.d/cron stop and then I start the service and look on the other terminal.

/etc/init.d/cron start 
Starting periodic command scheduler: crond	
This is execute now:
rsbac_jail  -y start-stop-daemon  --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron --
<6>0000001237|rsbac_adf_request(): request WRITE_OPEN, pid 4631, ppid 1, prog_name cron, prog_file /usr/sbin/cron, uid 0, remote ip 192.168.1.5, target_type DEV, tid char 01:03, attr open_flag, value 32834, result NOT_GRANTED by JAIL

search for target_type and request

 target_type DEV :: request WRITE_OPEN

The target_type DEV is a jail_flag and on jail_flags you see.

 "allow-dev-write": "-D"   (this is most close to it)

The rsbac_jail say:

 \- wiki display error
 -D = allow write access on devices

So i add this to the cron-jailfile

 (allow-ipc-syslog 
  allow-dev-write)
 ()
 ()
 ()

And again stop and start the crond.

 /etc/init.d/cron start
 Starting periodic command scheduler: crond	
 This is execute now:
 rsbac_jail  -y -D start-stop-daemon  --start --quiet --pidfile /var/run/crond.pid --name cron --startas    /usr/sbin/cron --
 .

On the other terminal i see:

 <6>0000001239|rsbac_adf_request(): request READ_OPEN, pid 4653, ppid 1, prog_name cron, prog_file /usr/sbin/cron, uid 0, remote ip 192.168.1.5, target_type DEV, tid char 01:03, attr open_flag, value 32769, result NOT_GRANTED by JAIL

Again search for target_type and request

 target_type DEV :: request READ_OPEN

Now i add this

 "allow-dev-read": "-d"   

The rsbac_jail say:

 \- wiki display error
 -d = allow read access on devices

So add this to the cron-jailfile

 (allow-ipc-syslog 
  allow-dev-write
  allow-dev-read)
 ()
 ()
 ()

So again the same game, stop and start the crond

 /etc/init.d/cron start
 Starting periodic command scheduler: crond	
 This is execute now:
 rsbac_jail  -y -D -d start-stop-daemon  --start --quiet --pidfile /var/run/crond.pid --name cron --startas    /usr/sbin/cron --

And nothing appears on the security-users terminal. So far ok.

But a cronjob will comming son, with access to thinks wich are not setup in the moment.

For this a speed up the clock (only virtual :-)) to next cronjobs

Now it is 6:25 am and standard cronjobs is starting and on the terminal i see this.

 <6>0000001241|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 4732, ppid 4716, prog_name cron, prog_file /usr/sbin/cron, uid 0, remote ip 192.168.1.5, target_type SCD, tid rlimit, attr none, value none, result NOT_GRANTED by JAIL

always the same, search for target_type

 target_type SCD :: request MODIFY_SYSTEM_DATA :: tid rlimit

the target_type change to SCD so now I have to use this scd_flags.

The request says it need MODIFY_SYSTEM_DATA this means the categorie four () and rlimit is need.

The MODIFY_SYSTEM_DATA and GET_SYSTEM_DATA have the same scd_flags only the categories are different. If GET_SYSTEM_DATA is requested then rsbac_jail -G is need otherwise -M for MODIFY.

I add now to cron in categorie four rlimit

 (allow-ipc-syslog
  allow-dev-write
  allow-dev-read)
 ()
 ()
 (rlimit)
 <6>0000001269|rsbac_adf_request(): request GET_STATUS_DATA, pid 4813, ppid 4807, prog_name df, prog_file /bin/df, uid 0, remote ip 192.168.1.5, target_type DEV, tid block 08:01, attr none, value none, result NOT_GRANTED by JAIL

search for target_type,

  target_type DEV :: request GET_STATUS_DATA (tid not important in this case)

rsbac_jail says,

 \- stupid wiki
 -e = allow GET_STATUS_DATA on devices,

this is a jail_flag, so in the first categorie i add 'allow-dev-get-status'

 (allow-ipc-syslog
  allow-dev-write
  allow-dev-read 
  allow-dev-get-status)
 ()
 ()
 (rlimit)
 <6>0000001300|rsbac_adf_request(): request SEND_SIGNAL, pid 4831, ppid 4830, prog_name syslogd, prog_file /sbin/syslogd, uid 0, remote ip 192.168.1.5, target_type PROCESS, tid 4384, attr none, value none, result NOT_GRANTED by JAIL

 Is never allow in the jail
 <7>0000001301|rsbac_adf_request_jail(): process jail 57 does not match IPC object jail 56 -> NOT_GRANTED!
 <6>0000001302|rsbac_adf_request(): request WRITE, pid 4831, ppid 4830, prog_name syslogd, prog_file /sbin/syslogd, uid 0, remote ip 192.168.1.5, target_type IPC, tid AnonPipe-ID 10243, attr none, value none, result NOT_GRANTED by JAIL

This have again a jail_flag, and here is the 'allow-external-ipc' needed

 (allow-ipc-syslog
  allow-dev-write
  allow-dev-read 
  allow-dev-get-status
  allow-external-ipc)
 ()
 ()
 (rlimit)

Now i restart the cron.

 /etc/init.d/cron restart
 Restarting periodic command scheduler: crond	
 This is execute now:
 rsbac_jail  -y -D -d -e -i -M  rlimit start-stop-daemon  --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron --
//
wiki/experiences/igraltist/jail_cron.1215837221.txt.gz · Last modified: 2008/07/12 06:33 by 127.0.0.1

wiki/experiences/igraltist/jail_cron.1215837221.txt.gz · Last modified: 2008/07/12 06:33 by 127.0.0.1
This website is kindly hosted by m-privacy