Process in jail can use netstat to see connection

Hi list,

I was writting a small script to check if a service alive.
Copy to the server and put in the crontab.
Then I got an email that the service in my case ssh is not running.
Looking but was running.
Ah ok cron is running in a rsbac_jail.
So with ps, lsof or others only stuff from cron can seen.
But when i put netstat in the script an let cron execute it I see all 
like connection.
For my sufficient to check if the ssh is running, but after pgrep or ps 
fails
I was expected that netstat also fails.

This is my jail setup.
|Jail ID: 165| Program: cron| PID: 3899| Jail IP: 0.0.0.0
|Jail Flags: allow-external-ipc, allow-dev-get-status, allow-dev-read, 
allow-dev-mod-system, allow-inet-raw, allow-all-net-family, 
allow-dev-write
|Jail SCD Get: sysfs
|Jail SCD Modify: priority, rlimit, mlock

Deliver netstat a result because of (allow-inet-raw, 
allow-all-net-family)?

--

-- 
Mit freundlichen Grüßen

Jens Kasten

ssh gives wrong name for virtual set user

Hi list,

I did the follow on a remote_machine:

rsbac_groupadd -S 5000 jens
rsbac_useradd -S 5000 jens

rsbac_usershow -S 5000 -l
5000/jens 2000
rsbac_passwd -n -S 5000 jens

Now connect to this remote_machine with ssh:

ssh 5000/jens <at> remote_machine
Password:
Write failed: Broken pipe

On the remote_machine in the log:
rsbac_adf_request(): gid 2000 not known to RSBAC User Management!

So the virtal set is not proper handle with the ssh.

For testing I did create with UM an user tester:
(Its the first user I create so its get the uid and gid with number 
2000)

rsbac_groupadd tester
rsbac_useradd -g tester tester

Then I can connect with sshh, but with some mixing.

jail caps flags does not work on latest git kernel 3.2.y

Hi list,

is on the the latest git kernel 3.2.y the jail scd flag ioctl_cmd 
removed or on which version it was removed.

Then when I start a service in jail with caps is printed out:
Error managing capability set, cap_set_proc returned an error; caps='= 
cap_net_bind_service,cap_syslog+ep

cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_net_broadcast,cap_net_raw+p', 
error='Operation not permitted (1)'

--

-- 
Mit freundlichen Grüßen

Jens Kasten

http://www.kasten-edv.de
_______________________________________________
rsbac mailing list
rsbac <at> rsbac.org
http://www.rsbac.org/mailman/listinfo/rsbac

attr_set_user not work

Hi list,

I try to allow the security user to create home directories temporary.
But when I do this:

     attr_set_user security min_cap DAC_OVERRIDE
attr_set_user: Invalid Attribute min_cap!
--

-- 
Mit freundlichen Grüßen

Jens Kasten

http://www.kasten-edv.de
_______________________________________________
rsbac mailing list
rsbac <at> rsbac.org
http://www.rsbac.org/mailman/listinfo/rsbac

Re: attr_set_user not work

Its was my mistake.

must call min_caps!

I want use an user for update. So I set up this:

cat create_update_user_gentoo.sh
# for using emerge
attr_set_file_dir FILE /usr/lib64/portage/bin/emerge fake_root_uid 3

# allow security user to create home directory
attr_set_user security min_caps DAC_OVERRIDE

# create group and user updater
rsbac_groupadd -g 410 updater
rsbac_useradd -m -d /home/updater -g 410 -u 410 updater

# disabled it again
attr_set_user security min_caps

# set min caps for user updater
attr_set_user updater min_caps CHOWN DAC_OVERRIDE DAC_READ_SEARCH 
FOWNER FSETID MKNOD NET_BIND_SERVICE

# solve this acl request
# request GET_STATUS_DATA, pid 10699, ppid 10696, prog_name sort, 
prog_file /bin/sort, uid 410, remote ip 192.168.1.5, target_type SCD, 
tid priority, attr none, value none, result NOT_GRANTED by ACL
acl_grant USER 410 GET_STATUS_DATA SCD priority

default rsbac profile

Hi list,

Here is a first try to build predefined profile for the rsabc kernel 
configuration.
Copy the attachment to your path to 
linux-rsbac-source/rsbac/Kconfig.profile and modify
linux-rsbac-source/rsbac/Kconfig.

Insert into Kconfig on the very beginning after this:

if RSBAC

source rsbac/Kconfig.profile

Thats all.
Thanks for testing :)

--

-- 
Mit freundlichen Grüßen

Jens Kasten

http://www.kasten-edv.de

# menu for predefined profile 
config RSBAC_SECURITY_LEVEL
    bool "Security Level"
    depends on RSBAC
    default n 
    select RSBAC_PROC

Re: default rsbac profile

On attachment i have a bit modified version and a patch for 
rsbac/Kconfig.
Its need this patch because default Softmode and RC is set.
Now I have with max. 5 config options my rsbac kernel config setup 
finish.
Next is to build a profile for using RC.
I have test it and will send it to blueness to integrate in the 
gentoo-hardened rsbac-sources.

Am 2012-05-24 08:32, schrieb Jens Kasten:
> Hi list,
>
> Here is a first try to build predefined profile for the rsabc kernel
> configuration.
> Copy the attachment to your path to
> linux-rsbac-source/rsbac/Kconfig.profile and modify
> linux-rsbac-source/rsbac/Kconfig.
>
> Insert into Kconfig on the very beginning after this:
>
> if RSBAC
>
> source rsbac/Kconfig.profile
>
>
> Thats all.
> Thanks for testing :)

--

-- 
Mit freundlichen Grüßen