wiki:experiences:telmich
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
wiki:experiences:telmich [2005/12/31 12:56] 84.161.100.146wiki:experiences:telmich [2006/05/02 13:40] (current) – external edit 127.0.0.1
Line 5: Line 5:
   * motivated developers   * motivated developers
   * small community (still)   * small community (still)
 +  * still unknown to many people out there
 +
 +====== TODO ======
 +
 +Things I want to achieve / do with RSBAC:
 +
 +  - Create a new user, who
 +    - may create, delete and modify other users (like a end user compatible user manager)
 +  - Understand and use PM (there is no "real" documentation!)
 +  - Create a new user, who can shutdown / reboot the system
 +  - use jails
 +  - use rsbac_mod for apache, as soon as vhosts are supported
 +  - test daemons, check whether they can run with rsbac
 +  - test cinit with RSBAC
  
 ====== common problems ====== ====== common problems ======
Line 12: Line 26:
 When you enabled ssh (see below) you may be able to **directly** login as //you// or **root**, but using __su__ When you enabled ssh (see below) you may be able to **directly** login as //you// or **root**, but using __su__
 or __sudo__ may fail, because you are normally **not** allowed to setuid (to change) to another user. or __sudo__ may fail, because you are normally **not** allowed to setuid (to change) to another user.
 +
 +===== upgrading your system =====
 +
 +When you upgrade your system (especially ssh, login or pam) you may lose complete control
 +over your system. Like I did some seconds ago:
 +
 +  - I logged in as root
 +  - I typed "apt-get update && apt-get dist-upgrade"
 +  - I went away, shopping for the company
 +  - I came back and wanted to login as "rsbac_400"
 +  - The answer was "setuid: Operation not permitted"
 +
 +What happened?
 +  - The update saw that there are new packages and dist-upgrade installs them
 +  - The dist upgrade replaced ///bin/login//
 +  - The inode of /bin/login changed
 +  - The old settings for /bin/login vanished
 +  - I am not able to login anymore
 +  - sshd also got replaced, so the connection is reseted by the rsbac host
 +
 +**How to solve the problem**
 +  - I am right now trying it...
 +  - I rebooted the system
 +  - At the grub prompt I added //rsbac_auth_enable_login// as kernel parameter
 +  - Now I am able to login as rsbac_400 on the console (at least in theory it still boots)
 +  - And now I can restore the standard settings:
 +     - Allow /bin/login to setuid (use //rsbac_fd_menu /bin/login//)
 +     - Allow /usr/sbin/sshd to setuid to everybody (no role implemented for ssh yet)
  
 ====== HOWTO ====== ====== HOWTO ======
Line 158: Line 200:
 ==== configuring apache (http server) ==== ==== configuring apache (http server) ====
 [[http://trusteddebian.org/Members/tsauter/rsbac-apache-rc.txt/view]] [[http://trusteddebian.org/Members/tsauter/rsbac-apache-rc.txt/view]]
 +
 +
  
 ==== configuring openvpn (vpn server) ==== ==== configuring openvpn (vpn server) ====
Line 356: Line 400:
  
 ==== creating a user/group administrator  ==== ==== creating a user/group administrator  ====
 +
 +===== dosinux.schottelius.org =====
 +
 +==== configuring apache2 (http server) ====
 +
 +  - Do apt-get install apache2 before
 +  - See what happens:<code>
 +dosinux# /usr/sbin/apache2
 +dosinux# dmesg 
 +0000001236|rsbac_adf_request(): request READ, pid 3517, ppid 2735, prog_name apache2,
 +prog_file /usr/sbin/apache2, uid 0, target_type GROUP, tid 33, attr none, value none, result
 +NOT_GRANTED by RC ACL
 +0000001237|rsbac_adf_request(): request READ, pid 3518, ppid 3517, prog_name apache2,
 +prog_file /usr/sbin/apache2, uid 0, target_type GROUP, tid 33, attr none, value none,
 +result NOT_GRANTED by RC ACL
 +0000001238|rsbac_adf_request(): request CHANGE_OWNER, pid 3519, ppid 3518, prog_name
 +apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3519, attr owner,
 +value 33, result NOT_GRANTED by AUTH
 +0000001239|rsbac_adf_request(): request CHANGE_OWNER, pid 3520, ppid 3518, prog_name
 +apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3520, attr owner,
 +value 33, result NOT_GRANTED by AUTH
 +0000001240|rsbac_adf_request(): request CHANGE_OWNER, pid 3521, ppid 3518, prog_name
 +apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3521, attr owner,
 +value 33, result NOT_GRANTED by AUTH
 +0000001241|rsbac_adf_request(): request CHANGE_OWNER, pid 3522, ppid 3518, prog_name
 +apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3522, attr owner,
 +value 33, result NOT_GRANTED by AUTH
 +0000001242|rsbac_adf_request(): request CHANGE_OWNER, pid 3523, ppid 3518, prog_name
 +apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3523, attr owner,
 +value 33, result NOT_GRANTED by AUTH
 +</code>
 +  - Add the AUTH capability 33 (www-data), use rsbac_400 and rsbac_fd_menu /usr/sbin/apache2
 +  - TADA, it runs:<code>
 +dosinux# /usr/sbin/apache2 
 +dosinux# dmesg 
 +0000001243|rsbac_adf_request(): request READ, pid 3692, ppid 2718, prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type GROUP, tid 33, attr none, value none, result NOT_GRANTED by RC ACL
 +0000001244|rsbac_adf_request(): request READ, pid 3693, ppid 3692, prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type GROUP, tid 33, attr none, value none, result NOT_GRANTED by RC ACL
 +dosinux# ps axu | grep apache2
 +root      3693  0.8  0.9  16744  5436 ?        Ss   16:02   0:00 /usr/sbin/apache2
 +www-data  3694  0.0  0.9  16744  5456 ?        S    16:02   0:00 /usr/sbin/apache2
 +www-data  3695  0.0  0.9  16744  5456 ?        S    16:02   0:00 /usr/sbin/apache2
 +www-data  3696  0.0  0.9  16744  5456 ?        S    16:02   0:00 /usr/sbin/apache2
 +www-data  3697  0.0  0.9  16744  5456 ?        S    16:02   0:00 /usr/sbin/apache2
 +www-data  3698  0.0  0.9  16744  5456 ?        S    16:02   0:00 /usr/sbin/apache2
 +root      3701  0.0  0.0   1520   328 pts/0    R+   16:02   0:00 grep apache2
 +</code>
 +
 +===== Roles =====
 +
 +Roles should make life easier, currently they are just making my life more complicated. Let's see what we can do with them.
 +
 +==== creating a "user_manager" ====
 +
 +The first problem to solve with Roles is to create a user, which is able to
 +  - create
 +  - delete
 +  - and modify other users (like a end user compatible user manager)  
 +
 +
 +First of all, I create a user:
 +  - login as rsbac_400, do <code>rsbac_useradd -d /home/user/user_manager user_manager</code>
 +  - now do <code>rsbac_passwd -n user_manager</code>
 +  - login as root and do<code>
 +mkdir /home/user/user_manager
 +chown user_manager ~user_manager</code>
 +  - Now we successfully created a normal user.
 +  - TOBEDONE...
  
 ===== Backup ===== ===== Backup =====
//
wiki/experiences/telmich.1136033762.txt.gz · Last modified: 2006/05/02 13:40 (external edit)

wiki/experiences/telmich.1136033762.txt.gz · Last modified: 2006/05/02 13:40 (external edit)
This website is kindly hosted by m-privacy