some questions (Re: mac-0.5.diff)
Robert Watson
rwatson at FreeBSD.org
Thu Sep 27 19:41:47 GMT 2001
On Thu, 27 Sep 2001, richard offer wrote:
> * I'd like
> * for the database to be able to express concepts such as allowing the user
> * to select a role at login, so some look at prior art is probably also
> * called for there.
>
> You can do this in a PAM module without changing login. I hacked
> together a quick prototype for some MAC work we were doing on Linux, so
> it is possible.
One problem I've run into with my current prototype is the following: sshd
currently runs with high integrity during the authentication phase--the
OpenSSH sshd daemon uses a temporarily_swap_uid() call that actually does
a fairly good job of modifying the effective credentials to that of the
user prior to reading .ssh/authorized_keys. Unfortunately, it doesn't
know about MAC, so if the user has a lower integrity label on their home
directory then SSHd cannot read the key file. So right now, I can
authenticate to my test boxes with MAC using SSH only when using
passwords, not keys. Similarly, our login has some problems when it
comes to testing the existence of a home directory--there's an old
hack in there that changes to the user's effective credentials to
test that their home directory is valid (it can't do it as root, as
root may not have privilege for NFS home directories)--this is done
prior to the final setup of credentials, so PAM is not used. Or, in
other cases, this is part of a PAM login check, so PAM can't be
invoked to manage the credentials.
There are a number of areas where problems exist of this sort--in some
cases it has to do with incomplete transition to the user MAC label that
is appropriate, in others it has to do with poor use of privilege.
Likewise, there are a lot of places where PAM isn't used in FreeBSD for
managing the user credentials--for example, sendmail doesn't use PAM to
set up the mail delivery environment. It may be that the "right" fix is
to make these places use PAM, and to make sure PAM is used properly.
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list