Hi all, this bug report wishes to provide safe defaults, apply the least privilege principle, and introduce privilege separation to sysklogd In gentoo sysklog can be run without root privileges, and partially chrooted (klogd only). This happens because gentoo ebuild for sysklog includes the following patches: /usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-klogd-drop-root.diff /usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-syslogd-bind.diff /usr/portage/app-admin/sysklogd/files/sysklogd-1.4.1-caen-owl-syslogd-drop-root.diff For that to happen, we must run: klogd with user: "klog", and chroot it in /var/empty (for instance..) syslogd with user "syslog" to do that, we must: - create the respective users. - Change all files to which syslogd writes by default (log files) writable by syslog. I did this by changing the ownership of these files to the "syslog" user Also, in /etc/conf.d/sysklogd we must add the following arguments to each daemon: klogd: -u klogd -j /var/empty syslogd: -u syslog Therefore, I propose that the install process for sysklogd create two users: klog syslog and set the ownership of sysklog default logfiles (`grep -v ^# /etc/syslog.conf` will show them) to the syslog user. If not by default for the gentoo vanilla distribution, at least in the presence of the USE flag: "hardened". Thank you very much, best regards.
Created attachment 99393 [details, diff] make drop-root/chroot of klogd work even on linux-hardened with capabilities enabled. (removed email to protect from email harvesting for spam)
Created attachment 99394 [details, diff] makefile patch to make klogd.c compile (must link with -lcap)
Created attachment 99395 [details] file to be installed in /etc/conf.d/sysklogd for hardened/chroot users.
Created attachment 99396 [details, diff] patch to ebuild.
Hi, I've worked the necessary patches to make sysklogd work has I proposed in the bug report. the first 2 patches are needed for the drop_root + chroot() to work correctly on my hardened gentoo x86. the patched ebuild was not tested because I don't know how to deal with the checksumming/digest verification. but its my first stab at it.. and it reflects the proposed alteration request. best regards,
Comment on attachment 99393 [details, diff] make drop-root/chroot of klogd work even on linux-hardened with capabilities enabled. (removed email to protect from email harvesting for spam) >--- sysklogd-1.4.1/klogd.c.orig 2006-10-12 01:29:49.000000000 +0100 >+++ sysklogd-1.4.1/klogd.c 2006-10-12 01:32:58.000000000 +0100 >@@ -246,6 +246,9 @@ > * Thu Apr 29 15:24:07 2004: Solar Designer <solar@openwall.com> > * Prevent potential buffer overflow in reading messages from the > * kernel log rinbuffer. >+ * >+ * Thu Oct 12 00:12:02 2006: Miguel Filipe >+ * fix drop_root() to work correctly with capabilities > */ > > >@@ -263,6 +266,8 @@ > #include <stdlib.h> > #include <pwd.h> > #include <grp.h> >+#include <sys/prctl.h> >+#include <sys/capability.h> > #include "klogd.h" > #include "ksyms.h" > #ifndef TESTING >@@ -989,6 +994,9 @@ > static int drop_root(void) > { > struct passwd *pw; >+ cap_t cap; >+ cap_value_t cap_value[2] = { CAP_SYS_ADMIN, CAP_SYS_CHROOT }; >+ int result; > > if (!(pw = getpwnam(server_user))) return -1; > >@@ -999,10 +1007,36 @@ > if (chdir("/")) return -1; > } > >+ /* set keep capabilities */ >+ if( prctl( PR_SET_KEEPCAPS, 1, 0, 0, 0 ) ) >+ return -1; >+ >+ /* test whether cap_set_proc works */ >+ cap = cap_get_proc(); >+ if( cap ) { >+ result = cap_set_proc( cap ); >+ cap_free( cap ); >+ if( result ) >+ return -1; >+ } else >+ return -1; >+ >+ > if (setgroups(0, NULL)) return -1; > if (setgid(pw->pw_gid)) return -1; > if (setuid(pw->pw_uid)) return -1; > >+ /* set necessary capabilities */ >+ cap = cap_init(); >+ if( cap_set_flag( cap, CAP_PERMITTED, 2, cap_value, CAP_SET ) || >+ cap_set_flag( cap, CAP_EFFECTIVE, 2, cap_value, CAP_SET ) ) >+ return -1; >+ >+ if( cap_set_proc( cap ) ) >+ return -1; >+ if( cap_free( cap ) ) >+ return -1; >+ > return 0; > } >
i really dont like these ... please send em upstream and see if they'll take them
mmm looks like this is an ebuild-specific thing ... still, i dont like it
