[apparmor] [patch] sshd profile patch (was: Re: openSUSE profile patches - part 2)
Christian Boltz
apparmor at cboltz.de
Fri Aug 12 20:07:26 UTC 2011
Hello,
Am Montag, 8. August 2011 schrieb Christian Boltz:
> @Jeff: can you please comment on the sshd profile?
>
> Am Montag, 8. August 2011 schrieb Steve Beattie:
> > On Sat, Aug 06, 2011 at 02:30:52PM +0200, Christian Boltz wrote:
> > > From: Jeff Mahoney <jeffm at suse.com>
> > > Subject: Fix for sshd profile
> > > References: bnc#457072
> > > --- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
> > > +++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
> > >
> > > + capability audit_control,
> >
> > I really, really dislike allowing audit_control. Basically, a
> > confined process with it can turn off audit logging by auditd/the
> > audit subsystem or manipulate it in such away as to hide audit
> > events. Does sshd really fail to start if audit_control is
> > disallowed? I'd honestly rather see a deny rule here.
>
> Jeff?
I just tested this myself on openSUSE 11.4:
With "deny capability audit_control":
# ssh localhost
Last login: Fri Aug 12 18:30:30 2011 from console
Have a lot of fun...
Connection to localhost closed.
#
In other words: I'm instantly logged out - that makes ssh quite secure,
but useless ;-)
When allowing audit_control, login works - which means it is really
needed.
OTOH, sys_ptrace doesn't seem to be needed, therefore I didn't include
that part in the updated patch.
My tests resulted in the following additons compared to Jeff's patch:
+ /proc/*/oom_adj rw,
+ /proc/*/oom_score_adj rw,
+ /var/log/btmp r,
+ /var/log/lastlog k,
- /proc/filesystems r, # already in abstractions/base
> > > - /bin/bash Ux,
> > > + /bin/bash rUx,
> >
> > I suspect the other shells need 'r' access as well.
>
> Looks like nobody uses anything else than bash as login shell ;-)
> But yes, you are probably right.
Fixed in the attached patch.
Regards,
Christian Boltz
--
Look at Debian... its stable, works on a variety of platforms.... and
development is racing along at the speed of a turtle with 3 broken legs.
[Joseph M. Gaffney in opensuse]
-------------- next part --------------
An embedded message was scrubbed...
From: Jeff Mahoney <jeffm at suse.com>
Subject: Fix for sshd profile
Date: no date
Size: 1789
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110812/7fa4f4c6/attachment.mht>
More information about the AppArmor
mailing list