[Bug 240891] With MAC_BIBA (presumably MAC_MLS as well) sshd cannot set the login class properly
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sat Sep 28 09:57:36 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240891
Bug ID: 240891
Summary: With MAC_BIBA (presumably MAC_MLS as well) sshd cannot
set the login class properly
Product: Base System
Version: 12.0-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: realkay at mailbox.org
I *think* this is the same as
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=177698 from several years
back.
With the following login class in /etc/login.conf:
admin:\
:label=biba/low(low-5):\
:tc=default:
And with the user properly set to that login class (confirmed by grepping
/etc/master.passwd), after logging in over ssh:
$ id -c && getpmac
daemon
biba/low(low-5),partition/0
(Note that the login class is set to *daemon* .. it seems to have failed
silently to set it and some default was applied)
Now if we go back to login.conf and change biba/low(low-5) to
biba/low(low-high):
$ id -c && getpmac
admin
biba/low(low-high),partition/0
I am not entirely sure why this is happening, but the practical effect is
removing the ability to set login classes for SSH users that cannot reach
biba/high, which greatly defeats the purpose of employing MAC_BIBA to ensure
the system's integrity.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list