Jens Kasten | 15 Jan 16:59 2011

umount

Hi list,

again there is an umount issue.
I use the kernel 2.6.35.10.
As filesystem i use ext4.
I mount a snapshot from rootfs to make a copy of it to create a new
rootfs with ext3 to see if the FF issue is depend on filesystem.

Sat Jan 15 16:53:35 2011 :<4>0000001056|do_umount() [sys_umount()]:
umount failed -> calling rsbac_mount for Device 253:22

The command fuse /mount_point shows nothing.

In the same time the partion with ext3 filesystem can umount.

Grüsse
Jens

_______________________________________________
rsbac mailing list
rsbac <at> rsbac.org
http://www.rsbac.org/mailman/listinfo/rsbac
Jens Kasten | 16 Jan 10:20 2011

UM

Hi list,

I am using UM for user authentification.

I must set sufficient and not required for categorie auth
in /etc/pam.d/system-auth otherwise it does not work.

This I see in the log message.

Jan 16 10:06:19 jaschtschik su[9778]: pam_authenticate: Authentication
failure
Jan 16 10:06:19 jaschtschik su[9778]: FAILED su for root by jens
Jan 16 10:06:19 jaschtschik su[9778]: - /dev/pts/2 jens:root

Latest rsbac-admin-tools 1.4.5 and kernel 2.6.35.10 from git.

/etc/pamd.d/system-auth:
auth    required    pam_env.so
auth    sufficient   pam_rsbac.so
#auth  required	pam_rsbac.so try_first_pass likeauth nullok
auth    required    pam_deny.so

account required    pam_rsbac.so
account optional    pam_permit.so

password    required    pam_cracklib.so difok=2 minlen=8 dcredit=2
ocredit=2 try_first_pass retry=3
password    required	pam_rsbac.so
password    required    pam_deny.so

(Continue reading)

Jens Kasten | 16 Jan 16:12 2011

kvm-guest in jail

Hi list,

I try to run a kvm-guest in a jail.
My network setup for is bridged.
The monitor option when I use tcp socket instead unix socket is
available on the host.
For monitor I would prefer to use the unix socket.
But then I get:
Sun Jan 16 14:34:27 2011 :<7>0000000864|rsbac_adf_request_jail():
process jail is 35, no allow_ipc and partner process unknown ->
NOT_GRANTED!
Sun Jan 16 14:34:27 2011 :<6>0000000865|rsbac_adf_request(): request
ACCEPT, pid 9624, ppid 1, prog_name debian,
prog_file /usr/bin/qemu-system-x86_64, uid 0, remote ip 192.168.1.5,
target_type UNIXSOCK, tid Device 253:24 Inode 55284
Path /var/run/kvm/debian.socket, attr sock_type, value STREAM, result
NOT_GRANTED by JAIL

For network setup adding the iface to the bridge does not work.
If really all fail I could use routing for guests.

This command I use to start a guest:
/usr/local/bin/rsbac_jail -I 0.0.0.0 -d -D -K -E -C NET_RAW DAC_OVERRIDE
DAC_READ_SEARCH NET_ADMIN -M network sysctl /usr/bin/kvm-admin debian
boot

And this shows the logfile:
Sun Jan 16 16:00:22 2011 :<6>0000001178|rsbac_adf_request(): request
MODIFY_SYSTEM_DATA, pid 16483, ppid 16482, prog_name brctl,
prog_file /sbin/brctl, uid 0, remote ip 127.0.0.1, target_type NETDEV,
(Continue reading)

Gergely Lónyai | 17 Jan 07:51 2011

Re: UM

> -------- Original Message --------
> Subject: [rsbac] UM
> From: Jens Kasten <igraltist <at> rsbac.org>
> Date: Sun, January 16, 2011 10:20 am
> To: rsbac-mailing-list <rsbac <at> rsbac.org>
> 
> 
> Hi list,
> 
> I am using UM for user authentification.
> 
> I must set sufficient and not required for categorie auth
> in /etc/pam.d/system-auth otherwise it does not work.
> 
> This I see in the log message.
> 
> Jan 16 10:06:19 jaschtschik su[9778]: pam_authenticate: Authentication
> failure
> Jan 16 10:06:19 jaschtschik su[9778]: FAILED su for root by jens
> Jan 16 10:06:19 jaschtschik su[9778]: - /dev/pts/2 jens:root
> 
> Latest rsbac-admin-tools 1.4.5 and kernel 2.6.35.10 from git.
> 
> /etc/pamd.d/system-auth:
> auth    required    pam_env.so
> auth    sufficient   pam_rsbac.so
> #auth  required	pam_rsbac.so try_first_pass likeauth nullok
> auth    required    pam_deny.so
> 
> account required    pam_rsbac.so
(Continue reading)

Jens Kasten | 17 Jan 08:45 2011

Re: UM

Am Sonntag, den 16.01.2011, 23:51 -0700 schrieb Gergely Lónyai:
> > -------- Original Message --------
> > Subject: [rsbac] UM
> > From: Jens Kasten <igraltist <at> rsbac.org>
> > Date: Sun, January 16, 2011 10:20 am
> > To: rsbac-mailing-list <rsbac <at> rsbac.org>
> > 
> > 
> > Hi list,
> > 
> > I am using UM for user authentification.
> > 
> > I must set sufficient and not required for categorie auth
> > in /etc/pam.d/system-auth otherwise it does not work.
> > 
> > This I see in the log message.
> > 
> > Jan 16 10:06:19 jaschtschik su[9778]: pam_authenticate: Authentication
> > failure
> > Jan 16 10:06:19 jaschtschik su[9778]: FAILED su for root by jens
> > Jan 16 10:06:19 jaschtschik su[9778]: - /dev/pts/2 jens:root
> > 
> > Latest rsbac-admin-tools 1.4.5 and kernel 2.6.35.10 from git.
> > 
> > /etc/pamd.d/system-auth:
> > auth    required    pam_env.so
> > auth    sufficient   pam_rsbac.so
> > #auth  required	pam_rsbac.so try_first_pass likeauth nullok
> > auth    required    pam_deny.so
> > 
(Continue reading)

Gergely Lónyai | 17 Jan 09:14 2011

Re: UM

> -------- Original Message --------
> Subject: Re: [rsbac] UM
> From: Jens Kasten <igraltist <at> rsbac.org>
> Date: Mon, January 17, 2011 8:45 am
> To: RSBAC Discussion and Announcements <rsbac <at> rsbac.org>
> 
> 
> Am Sonntag, den 16.01.2011, 23:51 -0700 schrieb Gergely Lónyai:
> > > -------- Original Message --------
> > > Subject: [rsbac] UM
> > > From: Jens Kasten <igraltist <at> rsbac.org>
> > > Date: Sun, January 16, 2011 10:20 am
> > > To: rsbac-mailing-list <rsbac <at> rsbac.org>
> > > 
> > > 
> > > Hi list,
> > > 
> > > I am using UM for user authentification.
> > > 
> > > I must set sufficient and not required for categorie auth
> > > in /etc/pam.d/system-auth otherwise it does not work.
> > > 
> > > This I see in the log message.
> > > 
> > > Jan 16 10:06:19 jaschtschik su[9778]: pam_authenticate: Authentication
> > > failure
> > > Jan 16 10:06:19 jaschtschik su[9778]: FAILED su for root by jens
> > > Jan 16 10:06:19 jaschtschik su[9778]: - /dev/pts/2 jens:root
> > > 
> > > Latest rsbac-admin-tools 1.4.5 and kernel 2.6.35.10 from git.
(Continue reading)

Jens Kasten | 17 Jan 09:22 2011

Re: UM

Am Montag, den 17.01.2011, 01:14 -0700 schrieb Gergely Lónyai:
> > -------- Original Message --------
> > Subject: Re: [rsbac] UM
> > From: Jens Kasten <igraltist <at> rsbac.org>
> > Date: Mon, January 17, 2011 8:45 am
> > To: RSBAC Discussion and Announcements <rsbac <at> rsbac.org>
> > 
> > 
> > Am Sonntag, den 16.01.2011, 23:51 -0700 schrieb Gergely Lónyai:
> > > > -------- Original Message --------
> > > > Subject: [rsbac] UM
> > > > From: Jens Kasten <igraltist <at> rsbac.org>
> > > > Date: Sun, January 16, 2011 10:20 am
> > > > To: rsbac-mailing-list <rsbac <at> rsbac.org>
> > > > 
> > > > 
> > > > Hi list,
> > > > 
> > > > I am using UM for user authentification.
> > > > 
> > > > I must set sufficient and not required for categorie auth
> > > > in /etc/pam.d/system-auth otherwise it does not work.
> > > > 
> > > > This I see in the log message.
> > > > 
> > > > Jan 16 10:06:19 jaschtschik su[9778]: pam_authenticate: Authentication
> > > > failure
> > > > Jan 16 10:06:19 jaschtschik su[9778]: FAILED su for root by jens
> > > > Jan 16 10:06:19 jaschtschik su[9778]: - /dev/pts/2 jens:root
> > > > 
(Continue reading)

Jens Kasten | 17 Jan 09:34 2011
Picon

Re: UM

Am Montag, den 17.01.2011, 09:22 +0100 schrieb Jens Kasten:
> Am Montag, den 17.01.2011, 01:14 -0700 schrieb Gergely Lónyai:
> > > -------- Original Message --------
> > > Subject: Re: [rsbac] UM
> > > From: Jens Kasten <igraltist <at> rsbac.org>
> > > Date: Mon, January 17, 2011 8:45 am
> > > To: RSBAC Discussion and Announcements <rsbac <at> rsbac.org>
> > > 
> > > 
> > > Am Sonntag, den 16.01.2011, 23:51 -0700 schrieb Gergely Lónyai:
> > > > > -------- Original Message --------
> > > > > Subject: [rsbac] UM
> > > > > From: Jens Kasten <igraltist <at> rsbac.org>
> > > > > Date: Sun, January 16, 2011 10:20 am
> > > > > To: rsbac-mailing-list <rsbac <at> rsbac.org>
> > > > > 
> > > > > 
> > > > > Hi list,
> > > > > 
> > > > > I am using UM for user authentification.
> > > > > 
> > > > > I must set sufficient and not required for categorie auth
> > > > > in /etc/pam.d/system-auth otherwise it does not work.
> > > > > 
> > > > > This I see in the log message.
> > > > > 
> > > > > Jan 16 10:06:19 jaschtschik su[9778]: pam_authenticate: Authentication
> > > > > failure
> > > > > Jan 16 10:06:19 jaschtschik su[9778]: FAILED su for root by jens
> > > > > Jan 16 10:06:19 jaschtschik su[9778]: - /dev/pts/2 jens:root
(Continue reading)

Jens Kasten | 17 Jan 10:40 2011

RES

Hi list,

I set up the follow for RES:

attr_set_user RES $user res_max fsize 250000   # user won t create file
more than 1G (block size = 4096)
attr_set_user RES $user res_max stack 100000   # user stack won t get
bigger than 100 KB
attr_set_user RES $user res_max nofile 1024    # user won t open more
than 1024 fds at a time
attr_set_user RES $user res_min core -1        # user will coredump by
default
attr_set_user RES $user res_max nproc 200      # user won t start more
than 200 process
attr_set_user RES $user res_max as 100000000   # user s process won t
get bigger than 100MB

Then I call the python script ps-jail and I get:
Jan 17 10:31:43 jaschtschik kernel: ps-jail[21077]: segfault at
3c0639ebf18 ip 000002be1843366c sp 000003c0639ebf20 error 6 in
libpython2.6.so.1.0[2be1832e000+173000]

Should the RES module not simply stop it if the script need more
resources?

Grüsse
Jens

_______________________________________________
rsbac mailing list
(Continue reading)

Amon Ott | 17 Jan 10:57 2011

Re: RES

On Monday 17 January 2011 wrote Jens Kasten:
> I set up the follow for RES:
>
> attr_set_user RES $user res_max fsize 250000   # user won t create file
> more than 1G (block size = 4096)

This value is in bytes, so 250000 bytes, not 1G.

> attr_set_user RES $user res_max stack 100000   # user stack won t get
> bigger than 100 KB
> attr_set_user RES $user res_max nofile 1024    # user won t open more
> than 1024 fds at a time
> attr_set_user RES $user res_min core -1        # user will coredump by
> default
> attr_set_user RES $user res_max nproc 200      # user won t start more
> than 200 process
> attr_set_user RES $user res_max as 100000000   # user s process won t
> get bigger than 100MB
>
>
> Then I call the python script ps-jail and I get:
> Jan 17 10:31:43 jaschtschik kernel: ps-jail[21077]: segfault at
> 3c0639ebf18 ip 000002be1843366c sp 000003c0639ebf20 error 6 in
> libpython2.6.so.1.0[2be1832e000+173000]
>
> Should the RES module not simply stop it if the script need more
> resources?

RES only changes the standard kernel resource settings, it does not check 
itself. So this is not possible. Also, it is not possible to know in advance 
(Continue reading)


Gmane