[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Privilege Elevation



Hi at all.
I will be crazy! :)
I'm using fine dug song systrace shell wrapper (stsh) on a OpenBSD 3.3 (GENERIC-i386).
Now it's all ok. But I would like use ping with privilege elevation.
So, I have correct my ping policy with:

native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_RAW" then permit as root


Policy: /sbin/ping, Emulation: native
        native-__sysctl: permit
        native-break: permit
        native-close: permit
        native-connect: sockaddr eq "inet-[192.168.11.10]:53" then permit
        native-exit: permit
        native-fsread: filename eq "/<non-existent filename>: /etc/malloc.conf" then permit
        native-fsread: filename eq "/dev/arandom" then permit
        native-fsread: filename eq "/etc/hosts" then permit
        native-fsread: filename eq "/etc/resolv.conf" then permit
        native-fstat: permit
        native-getpid: permit
        native-getsockopt: permit
        native-gettimeofday: permit
        native-getuid: permit
        native-ioctl: permit
        native-issetugid: permit
        native-mmap: permit
        native-mprotect: permit
        native-read: permit
        native-recvfrom: permit
        native-select: permit
        native-sendto: true then permit
        native-seteuid: uid eq "0" and uname eq "root" then permit
        native-setitimer: permit
        native-setsockopt: permit
        native-setuid: uid eq "0" and uname eq "root" then permit
        native-sigaction: permit
        native-sigprocmask: permit
        native-sigreturn: permit
        native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_DGRAM" then permit
        native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_RAW" then permit as root
        #native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_RAW" then permit
        native-write: permit

after I change permission at /bin/stsh with chmod 4755 /bin/stsh:
# ls -la /bin/stsh                                                                                     -rwsr-xr-x  1 root  wheel  48450 Jul 15 12:55 /bin/stsh

try to use ping with "martina" user (martina use sksh as shell):

# ping www.cisco.com
Privilege elevation not allowed.
/etc/systrace/sbin_ping:32: syntax error.

in logs..

Jul 15 14:41:47 meg systrace: deny user: martina, prog: /sbin/ping, pid: 6233(1)[29690], policy: /sbin/ping, filters: 30, syscall: native-socket(97), sockdom: AF_INET, socktype: SOCK_RAW
Jul 15 14:41:47 meg systrace: deny user: martina, prog: /sbin/ping, pid: 6233(1)[29690], policy: /sbin/ping, filters: 30, syscall: native-write(4), args: 12
Jul 15 14:41:47 meg systrace: deny user: martina, prog: /sbin/ping, pid: 6233(1)[29690], policy: /sbin/ping, filters: 30, syscall: native-fsread(5), filename: /usr/share/nls/C/libc.cat
Jul 15 14:41:47 meg systrace: deny user: martina, prog: /sbin/ping, pid: 6233(1)[29690], policy: /sbin/ping, filters: 30, syscall: native-fsread(5), filename: /<non-existent filename>: /usr/share/nls/libc/C
Jul 15 14:41:47 meg systrace: deny user: martina, prog: /sbin/ping, pid: 6233(1)[29690], policy: /sbin/ping, filters: 30, syscall: native-munmap(73), args: 8


where is my errors?! Beer? ;)

 tia very very much!

     goony

-- 
goony <goony_(_at_)_OpenBEER_(_dot_)_it>
[Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html]



Visit your host, monkey.org