[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Systrace and stsh

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Systrace and stsh
From: Kim Onnel <karim_(_dot_)_adel_(_at_)_gmail_(_dot_)_com>
Date: Wed, 23 Feb 2005 12:51:06 +0200
Reply-to: Kim Onnel <karim_(_dot_)_adel_(_at_)_gmail_(_dot_)_com>
I am having a problem installing and using stsh and systrace,

First i extracted the policies-12092004.tar.gz into /etc/systrace, is
there other configurations i need to do inorder for all system users
to be running all their tools systraced ? how do i check if an app
running by a user is systraced ?

then, stsh, the README file isnt much clear about, 

>cat README
>from the forthcoming addison wesley book on openbsd. written by jose nazario
>in a brief evening as a demo to someone, refined and tested. improved upon
>by many (see below).

>use
>---
>1. build and install stsh as /bin/stsh

and so i did, 
# gcc stsh.c -o stsh
# cp stsh /bin/stsh

>2. for every user you want to have under stsh (a systraced env), make
>      sure they are in the systrace class. man passwd(5) for how
>      to add them to this class. the class should look like this
>      in login.conf(5):
>      systrace:\
>              :shell=/bin/stsh:\
>              :tc=default:

i want all users in the future to have a stsh, so i will add these to
the default,

cat /etc/login.conf

default:\
        :path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin:\
        :umask=022:\
        :datasize-max=256M:\
        :datasize-cur=75M:\
        :maxproc-max=128:\
        :maxproc-cur=64:\
        :openfiles-cur=64:\
        :stacksize-cur=4M:\
        :localcipher=blowfish,6:\
        :ypcipher=old:\
        :tc=auth-defaults:\
        :tc=auth-ftp-defaults:
#Stsh-added lines
        :shell=/bin/stsh:\
        :tc=default:

and add it to /etc/shells
# cat /etc/shells | grep stsh
/bin/stsh

and now:

# adduser
Use option ``-silent'' if you don't want to see all warnings and questions.

Reading /etc/shells
Reading /etc/login.conf
Check /etc/master.passwd
Check /etc/group

Ok, let's go.
Don't worry about mistakes. I will give you the chance later to
correct any input.
Enter username []: test
Enter full name []: test
Enter shell csh ksh nologin sh stsh [sh]: stsh
Uid [1001]:
Login group test [test]:
Login group is ``test''. Invite test into other groups: guest no
[no]:
Login class auth-defaults auth-ftp-defaults daemon default staff
[default]:
Enter password []:
Enter password again []:

Name:        test
Password:    ****
Fullname:    test
Uid:         1001
Gid:         1001 (test)
Groups:      test
Login Class: default
HOME:        /home/test
Shell:       /bin/stsh
OK? (y/n) [y]: y
Added user ``test''
Copy files from /etc/skel to /home/test
Add another user? (y/n) [y]: n
Goodbye!

But :
# su test
systrace: getcwd: Permission denied


# May  9 12:47:08 bastion2 sshd[4563]: Accepted password for test from
10.2.0.158 port 14666 ssh2
May  9 12:47:08 bastion2 sshd[11789]: Accepted password for test from
10.2.0.158 port 14666 ssh2
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-issetugid(253), args: 0
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-mprotect(74), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-mmap(197), args: 32
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-write(4), args: 12
May  9 12:47:09 bastion2 systrace: deny user: test, prog: /bin/stsh,
pid: 971(0)[0], policy: /bin/stsh, filters: 0, syscall:
native-exit(1), args: 4

Where did i go wrong ?

Regards
Prev by Date: Re: Using HDD as backup media
Next by Date: Loadbalancing over multiple default routes
Previous by thread: Bzip2 include the std. Installation?
Next by thread: Loadbalancing over multiple default routes
Index(es):
- Date
- Thread
Visit your host, monkey.org