Date: Tue, 2 Mar 2010 06:43:03 -0800 From: Selphie Keller <selphie.keller@gmail.com> To: "'Robert Watson'" <rwatson@FreeBSD.org> Cc: freebsd-hackers@freebsd.org Subject: RE: mac_mls mac_biba mac_lomac patches to fix ptys_equal mib support for new /dev/pts in FreeBSD 8 Message-ID: <EAB3F73201B9443D81524724BA9777FD@2WIRE304> In-Reply-To: <alpine.BSF.2.00.1003021120450.48144@fledge.watson.org> References: <2BD4195B78BE4E4E9F4953B3196590E3@2WIRE304> <alpine.BSF.2.00.1003021120450.48144@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Robert,
- (1) It looks like you didn't need to set any special label on /dev/ptmx
- itself?
I didn't have any issues with /dev/ptmx being defaulted to mls/low, also
didn't have any problem with /dev/pts device path itself, just the
/dev/pts/* 0 - 99 if they where defaulted to mls/low where my staff accounts
would be logging in as mls/2(low-high), so I took a look at the code and
noticed the sysctl's for ttys being equal weren't being applied to
/dev/pts/* so modified the code, and also went ahead and applied the same
concept to mac_biba and mac_lomac, even though the server only uses mac_mls
policy.
- (2) Could you let me know how your login.conf + user labels are
configured, and show me the output of "ps -axZ | grep sshd"?
/etc/login.conf label configurations I use
Staff users: label=mls/2(low-high)
Deamons: label=mls/equal(equal-equal)
Insecure users: label=mls/low(low-low)
If you need the exact data from login.conf I can provide it, but is a bit
tricky as I use tc= to call from one class to another class and override, in
which default class is mls/low.
mls/equal(equal-equal) 7341 ?? Is 0:00.10 sshd: Enya [priv] (sshd)
mls/2(low-high) 7770 ?? IN 0:00.05 sshd: Enya@notty (sshd)
mls/equal(equal-equal) 26415 ?? Ss 0:00.05 sshd: lyra [priv] (sshd)
mls/low(low-low) 27006 ?? SN 0:00.01 sshd: lyra@pts/4 (sshd)
mls/equal(equal-equal) 31537 ?? Is 0:00.11 sshd: Enya [priv] (sshd)
mls/equal(equal-equal) 31886 ?? Is 0:00.11 sshd: Enya [priv] (sshd)
mls/2(low-high) 31908 ?? IN 0:00.04 sshd: Enya@pts/0 (sshd)
mls/2(low-high) 32506 ?? SN 0:00.17 sshd: Enya@pts/3 (sshd)
mls/equal(equal-equal) 50202 ?? Ss 0:00.02 /usr/sbin/sshd
mls/equal(equal-equal) 70343 ?? Is 0:00.11 sshd: Enya [priv] (sshd)
mls/2(low-high) 70706 ?? SN 0:00.21 sshd: Enya@pts/1 (sshd)
-We need to rethink how we deal with ttys anyway, and I'd like to understand
-how the specific case you're running into comes about.
The problem I had was only when using mac_mls to where a staff user would
login and be set to mls/2(low-high) then their /dev/pts/* would be set to
mls/low which would prevent writing to the device which would introduce sshd
errors as:
> Feb 25 21:42:16 labyrinth sshd[30965]: error: /dev/pts/5: Permission
denied
> Feb 25 21:42:16 labyrinth sshd[30965]: error: open /dev/tty failed - could
> not set controlling tty: Permission denied
However, if my insecure users logged in they would be set to
mls/low(low-low) and their device would be set to mls/low and no errors
would present themselves. And users who's class was mls/equal(equal-equal)
had no errors as they are exempted from the policy.
+-[root@labyrinth.mystagic.net]-[06:27:11]--[0]---
+[/usr/src/sys]-> lo /dev/pts
total 1
dr-xr-xr-x 2 root wheel - mls/low 512 Feb 25 22:42 ./
dr-xr-xr-x 5 root wheel - mls/low 512 Feb 25 14:39 ../
crw--w---- 1 Enya tty - mls/equal 0, 86 Mar 2 06:10 0
crw--w---- 1 Enya tty - mls/equal 0, 87 Mar 2 06:35 1
crw-rw-rw- 1 root wheel - mls/equal 0, 76 Feb 26 00:15 2
crw--w---- 1 Enya tty - mls/equal 0, 88 Mar 2 05:11 3
crw--w---- 1 lyra tty - mls/equal 0, 85 Mar 2 06:21 4
crw-rw-rw- 1 root wheel - mls/equal 0, 81 Mar 1 06:01 7
The device path with the mac_mls patched and security.mac.mls.ptys_equal=1,
if it's not set to 1, then the devices are set to mls/low.
If you need any further information just let me know, be more then happy to
help.
-Selphie (Estella Mystagic)
-----Original Message-----
From: owner-freebsd-hackers@freebsd.org
[mailto:owner-freebsd-hackers@freebsd.org] On Behalf Of Robert Watson
Sent: Tuesday, March 02, 2010 3:32 AM
To: Estella Mystagic
Cc: freebsd-hackers@freebsd.org
Subject: Re: mac_mls mac_biba mac_lomac patches to fix ptys_equal mib
support for new /dev/pts in FreeBSD 8
On Mon, 1 Mar 2010, Estella Mystagic wrote:
> Found issues with sysctl mibs security.mac.biba.ptys_equal,
> security.mac.lomac.ptys_equal, security.mac.mls.ptys_equal, not supporting
> new /dev/pts terminal system in FreeBSD 8, proposed fix for issue.
>
> When using a higher security grade/clearance with mac_mls it prevents
> writing to the /dev/pts/5 as its set as mls/low and subjects may not write
> to objects with a lower classification level than its own clearance level.
>
> Feb 25 21:42:16 labyrinth sshd[30965]: error: /dev/pts/5: Permission
denied
>
> Feb 25 21:42:16 labyrinth sshd[30965]: error: open /dev/tty failed - could
> not set controlling tty: Permission denied
Hi Selphie:
Thanks for this patch. I'll go ahead and merge it, but had two questions:
(1) It looks like you didn't need to set any special label on /dev/ptmx
itself?
(2) Could you let me know how your login.conf + user labels are configured,
and show me the output of "ps -axZ | grep sshd"?
We need to rethink how we deal with ttys anyway, and I'd like to understand
how the specific case you're running into comes about.
Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EAB3F73201B9443D81524724BA9777FD>