OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andrew Morgan (morgantransmeta.com)
Date: Fri Feb 16 2001 - 00:21:27 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Short answer:

    http://www.kernel.org/pub/linux/libs/pam/pre/modules/pam_cap-0.1.tar.gz

    Long answer:

    Because of a kernel bug that got removed around 2.2.16, the above module
    is pretty tricky to use. Basically, you need to raise the inheritiable
    set of init and lower the cap_bset within the init process before init
    spawns any children.

    The bug was that a non-privileged user could suppress the privilege of a
    setuid-0 program it exec()ed and this led to unpredictable behavior -- a
    sendmail exploit was the initial attack, but there were others.

    If you want to use the POSIX capability implementation as nature
    intended, you might like to check out this kernel patch - which should
    work fine with the above module:

    http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2-fcap/

    Cheers

    Andrew

    Mathew A Johnston wrote:
    >
    > I was curious if there was a capabilities module which would allow me to
    > set pam to give users logging in a particular set of capabilities. I read
    > a bit of a capabilities overview document and it looks as if this could be
    > done by giving the appropriate inheritable permissions to whatever process
    > is spawning off the users shell? (im new to this so i dont know exactly
    > how it'd work).
    >
    > Also would it be possible to somehow set the capability set of services
    > that start up? (apache, or bind, etc?) [I dont see how this fits in with
    > authentication, anywhere else in pam tho?]
    >
    > On an unrelated note, does anyone out there know if its possible to log
    > file access attempts? (open as read only, read write, delete) I would
    > assume that this would come in the form of a kernel patch. I was thinking
    > that one of the ext2 extended attributes could be set to +[some letter
    > denoting audit] to enable auditing of accesses on a file? (I know this
    > would be someting to post to linux-kernel list, but, I figured I'd suggest
    > it here first)
    >
    > Thanks,
    > Mathew Johnston
    >
    > _______________________________________________
    > Pam-list mailing list
    > Pam-listredhat.com
    > https://listman.redhat.com/mailman/listinfo/pam-list

    _______________________________________________
    Pam-list mailing list
    Pam-listredhat.com
    https://listman.redhat.com/mailman/listinfo/pam-list