[apparmor] [patch] sshd profile patch (was: Re: openSUSE profile patches - part 2)

Christian Boltz apparmor at cboltz.de
Fri Aug 12 20:07:26 UTC 2011


Hello,

Am Montag, 8. August 2011 schrieb Christian Boltz:
> @Jeff: can you please comment on the sshd profile?
> 
> Am Montag, 8. August 2011 schrieb Steve Beattie:
> > On Sat, Aug 06, 2011 at 02:30:52PM +0200, Christian Boltz wrote:

> > > From: Jeff Mahoney <jeffm at suse.com>
> > > Subject: Fix for sshd profile
> > > References: bnc#457072

> > > --- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
> > > +++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
> > > 
> > > +  capability audit_control,
> > 
> > I really, really dislike allowing audit_control. Basically, a
> > confined process with it can turn off audit logging by auditd/the
> > audit subsystem or manipulate it in such away as to hide audit
> > events. Does sshd really fail to start if audit_control is
> > disallowed? I'd honestly rather see a deny rule here.
> 
> Jeff?

I just tested this myself on openSUSE 11.4:

With "deny capability audit_control":

# ssh localhost
Last login: Fri Aug 12 18:30:30 2011 from console
Have a lot of fun...
Connection to localhost closed.
#

In other words: I'm instantly logged out - that makes ssh quite secure, 
but useless ;-)

When allowing audit_control, login works - which means it is really 
needed.

OTOH, sys_ptrace doesn't seem to be needed, therefore I didn't include 
that  part in the updated patch.

My tests resulted in the following additons compared to Jeff's patch:

+  /proc/*/oom_adj rw,
+  /proc/*/oom_score_adj rw,
+  /var/log/btmp r,
+  /var/log/lastlog k,

-  /proc/filesystems r, # already in abstractions/base

> > > -  /bin/bash Ux,
> > > +  /bin/bash rUx,
> > 
> > I suspect the other shells need 'r' access as well.
> 
> Looks like nobody uses anything else than bash as login shell ;-)
> But yes, you are probably right.

Fixed in the attached patch.


Regards,

Christian Boltz
-- 
Look at Debian... its stable, works on a variety of platforms.... and
development is racing along at the speed of a turtle with 3 broken legs.
[Joseph M. Gaffney in opensuse]
-------------- next part --------------
An embedded message was scrubbed...
From: Jeff Mahoney <jeffm at suse.com>
Subject: Fix for sshd profile
Date: no date
Size: 1789
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110812/7fa4f4c6/attachment.mht>


More information about the AppArmor mailing list