From owner-freebsd-security@FreeBSD.ORG Mon Mar 21 22:04:57 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F0623106564A for ; Mon, 21 Mar 2011 22:04:57 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.garage.freebsd.pl (60.wheelsystems.com [83.12.187.60]) by mx1.freebsd.org (Postfix) with ESMTP id 1599D8FC08 for ; Mon, 21 Mar 2011 22:04:56 +0000 (UTC) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 7B17F4569A; Mon, 21 Mar 2011 22:37:05 +0100 (CET) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 8738E45683 for ; Mon, 21 Mar 2011 22:36:56 +0100 (CET) Date: Mon, 21 Mar 2011 22:36:49 +0100 From: Pawel Jakub Dawidek To: freebsd-security@FreeBSD.org Message-ID: <20110321213649.GH2086@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="YrQNB5Deg1WGKZi3" Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-OS: FreeBSD 9.0-CURRENT amd64 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-0.6 required=4.5 tests=BAYES_00,RCVD_IN_SORBS_DUL autolearn=no version=3.0.4 Cc: Subject: [pjd@FreeBSD.org: svn commit: r219847 - in head/sbin: hastctl hastd] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Mar 2011 22:04:58 -0000 --YrQNB5Deg1WGKZi3 Content-Type: multipart/mixed; boundary="tT3UgwmDxwvOMqfu" Content-Disposition: inline --tT3UgwmDxwvOMqfu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable FYI, it looks like HAST is the first capsicum consumer in the base.>:> --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://yomoli.com --tT3UgwmDxwvOMqfu Content-Type: message/rfc822 Content-Disposition: inline Return-Path: X-Original-To: pawel@dawidek.net Delivered-To: pjd@mail.garage.freebsd.pl Received: from dawidek.net [83.12.187.60] by czort.dawidek.net with POP3 (fetchmail-6.3.16) for (single-drop); Mon, 21 Mar 2011 22:32:45 +0100 (CET) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 5A95C45C89; Mon, 21 Mar 2011 22:32:26 +0100 (CET) Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by mail.garage.freebsd.pl (Postfix) with ESMTP id 7E43445683 for ; Mon, 21 Mar 2011 22:32:17 +0100 (CET) Received: from hub.freebsd.org (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 6AC07153662 for ; Mon, 21 Mar 2011 21:32:01 +0000 (UTC) Received: by hub.freebsd.org (Postfix) id DEE30106572E; Mon, 21 Mar 2011 21:31:59 +0000 (UTC) Delivered-To: pjd@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 538) id D27BD1065677; Mon, 21 Mar 2011 21:31:56 +0000 (UTC) Delivered-To: src-committers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F000106566B; Mon, 21 Mar 2011 21:31:51 +0000 (UTC) (envelope-from pjd@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 4E2E08FC1C; Mon, 21 Mar 2011 21:31:51 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id p2LLVp5v021443; Mon, 21 Mar 2011 21:31:51 GMT (envelope-from pjd@svn.freebsd.org) Received: (from pjd@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id p2LLVpT3021437; Mon, 21 Mar 2011 21:31:51 GMT (envelope-from pjd@svn.freebsd.org) Message-Id: <201103212131.p2LLVpT3021437@svn.freebsd.org> From: Pawel Jakub Dawidek Date: Mon, 21 Mar 2011 21:31:51 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r219847 - in head/sbin: hastctl hastd X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: owner-src-committers@FreeBSD.org Precedence: bulk X-Loop: FreeBSD.ORG X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-2.6 required=4.5 tests=BAYES_00 autolearn=ham version=3.0.4 Author: pjd Date: Mon Mar 21 21:31:50 2011 New Revision: 219847 URL: http://svn.freebsd.org/changeset/base/219847 Log: When dropping privileges prefer capsicum over chroot+setgid+setuid. We can use capsicum for secondary worker processes and hastctl. When working as primary we drop privileges using chroot+setgid+setuid still as we need to send ioctl(2)s to ggate device, for which capsicum doesn't allow (yet). X-MFC after: capsicum is merged to stable/8 Modified: head/sbin/hastctl/hastctl.c head/sbin/hastd/primary.c head/sbin/hastd/secondary.c head/sbin/hastd/subr.c head/sbin/hastd/subr.h Modified: head/sbin/hastctl/hastctl.c ============================================================================== --- head/sbin/hastctl/hastctl.c Mon Mar 21 21:16:40 2011 (r219846) +++ head/sbin/hastctl/hastctl.c Mon Mar 21 21:31:50 2011 (r219847) @@ -480,9 +480,8 @@ main(int argc, char *argv[]) cfg->hc_controladdr); } - if (drop_privs() != 0) + if (drop_privs(true) != 0) exit(EX_CONFIG); - pjdlog_debug(1, "Privileges successfully dropped."); /* Send the command to the server... */ if (hast_proto_send(NULL, controlconn, nv, NULL, 0) < 0) { Modified: head/sbin/hastd/primary.c ============================================================================== --- head/sbin/hastd/primary.c Mon Mar 21 21:16:40 2011 (r219846) +++ head/sbin/hastd/primary.c Mon Mar 21 21:31:50 2011 (r219847) @@ -874,7 +874,7 @@ hastd_primary(struct hast_resource *res) init_ggate(res); init_environment(res); - if (drop_privs() != 0) { + if (drop_privs(true) != 0) { cleanup(res); exit(EX_CONFIG); } Modified: head/sbin/hastd/secondary.c ============================================================================== --- head/sbin/hastd/secondary.c Mon Mar 21 21:16:40 2011 (r219846) +++ head/sbin/hastd/secondary.c Mon Mar 21 21:31:50 2011 (r219847) @@ -440,7 +440,7 @@ hastd_secondary(struct hast_resource *re init_local(res); init_environment(); - if (drop_privs() != 0) + if (drop_privs(true) != 0) exit(EX_CONFIG); pjdlog_info("Privileges successfully dropped."); Modified: head/sbin/hastd/subr.c ============================================================================== --- head/sbin/hastd/subr.c Mon Mar 21 21:16:40 2011 (r219846) +++ head/sbin/hastd/subr.c Mon Mar 21 21:31:50 2011 (r219847) @@ -30,6 +30,7 @@ #include __FBSDID("$FreeBSD$"); +#include #include #include #include @@ -39,6 +40,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -144,13 +146,22 @@ role2str(int role) } int -drop_privs(void) +drop_privs(bool usecapsicum) { struct passwd *pw; uid_t ruid, euid, suid; gid_t rgid, egid, sgid; gid_t gidset[1]; + if (usecapsicum) { + if (cap_enter() == 0) { + pjdlog_debug(1, + "Privileges successfully dropped using capsicum."); + return (0); + } + pjdlog_errno(LOG_WARNING, "Unable to sandbox using capsicum"); + } + /* * According to getpwnam(3) we have to clear errno before calling the * function to be able to distinguish between an error and missing @@ -208,5 +219,8 @@ drop_privs(void) PJDLOG_VERIFY(getgroups(1, gidset) == 1); PJDLOG_VERIFY(gidset[0] == pw->pw_gid); + pjdlog_debug(1, + "Privileges successfully dropped using chroot+setgid+setuid."); + return (0); } Modified: head/sbin/hastd/subr.h ============================================================================== --- head/sbin/hastd/subr.h Mon Mar 21 21:16:40 2011 (r219846) +++ head/sbin/hastd/subr.h Mon Mar 21 21:31:50 2011 (r219847) @@ -50,6 +50,6 @@ int snprlcat(char *str, size_t size, con int provinfo(struct hast_resource *res, bool dowrite); const char *role2str(int role); -int drop_privs(void); +int drop_privs(bool usecapsicum); #endif /* !_SUBR_H_ */ --tT3UgwmDxwvOMqfu-- --YrQNB5Deg1WGKZi3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAk2HxPAACgkQForvXbEpPzTHaQCfXB5slsSiwR82zo3Ut9rea5lp 9VwAn1cZERwbUc/w3phdieC87yP02gSQ =sWeO -----END PGP SIGNATURE----- --YrQNB5Deg1WGKZi3-- From owner-freebsd-security@FreeBSD.ORG Fri Mar 25 11:10:02 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D1FF106568A for ; Fri, 25 Mar 2011 11:10:02 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id 1C6758FC1A for ; Fri, 25 Mar 2011 11:10:02 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id BA0DB594010; Fri, 25 Mar 2011 04:09:50 -0700 (PDT) Received: from w500.local (w500.miguel.ramos.name [IPv6:2001:b18:4071:0:21c:25ff:fe95:b118]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Fri, 25 Mar 2011 04:09:49 -0700 (PDT) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p2PB9qFx011936; Fri, 25 Mar 2011 11:09:52 GMT Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p2PB9pgt011934; Fri, 25 Mar 2011 11:09:51 GMT X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= In-Reply-To: <1299878133.29931.14.camel@w500.local> References: <1299682310.17149.24.camel@w500.local> <86aah2yopr.fsf@ds4.des.no> <1299838652.24241.1.camel@w500.local> <1299878133.29931.14.camel@w500.local> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Date: Fri, 25 Mar 2011 11:09:51 +0000 Message-ID: <1301051391.11551.12.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID f27.4d8c77fd.7398e.0 Cc: freebsd-security@freebsd.org Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Mar 2011 11:10:02 -0000 Sex, 2011-03-11 =C3=A0s 21:15 +0000, Miguel Lopes Santos Ramos escreveu: > Here's a scratch. >=20 > I added an option, called "require_trusted", which enforces the trusted > network check even for users which do not have OPIE enabled. > If this option is not used, behaviour is unchanged. >=20 > The name "require_trusted" is catchy and compeling to use. However, if > it was used in default configuration files, login would be impossible > (unless there was a default opieaccess file which permitted everything, > but that is bit forcing OPIE stuff on people and it's not worth it).=20 Well, this thread got a bit lost discussing other issues: So, any comments on the usefulness of this patch? I'm undecided myself, when I saw that I can easily lock everyone out with this (however, that's usually the case with other pam modules). With this option: - Non-OPIE logins are only possible from trusted networks (those in /etc/opieaccess), - Consequently, users which do not have OPIE enabled can only log in from trusted networks, - Consequently, if /etc/opieaccess does not exist, users which do not have OPIE enabled cannot log in (I see valid uses for this, anyway) - Consequently, if no one has OPIE enabled, no one can log in (thus optimum security is achieved). Overall, I think this is useful. I think I'm not the only one in this situation. One basic reason for this is that most users on my network very rarelly need shell access and even more rarelly they need it from outside. Having complex passwords becomes hard to manage, as a user who logs in once every three months will never remember he's password. Account lockout is also not what I want. --=20 Miguel Ramos PGP A006A14C