On Sun, Nov 2, 2008 at 11:08 PM, Robert Connolly <[EMAIL PROTECTED]> wrote: > When trying to load gradm on boot, as early as possible, I'm running into > problems. > > The mountfs boot script doesn't mount / read-write until after kernfs, udev, > swap, and checkfs. Gradm learning can't save it's log until filesystems are > mounted writable, and gradm doesn't work without /dev/grsec. > > So I think /dev/grsec should become an essential device, created before udev > is loaded, so gradm can be enabled as soon as possible. I > think /etc/rc.d/init.d/grsec should be the first boot script, and if > necessary mount a writable tmpfs for the learning log, maybe under /root. > > In particular I want acl rules for /sbin/agetty and /bin/login. > > It looks like /bin/login is what needs capabilities. I'm thinking to > make /bin/login executable only by the 'login' group, which agetty and sshd > users are a part of, and give /bin/login CAP_CHOWN, CAP_FOWNER, CAP_FSETID, > CAP_SETGID, and CAP_SETUID, so agetty and sshd users can drop root, except > that normal users also use /bin/login. Filesystem Posix capabilities markings > do not distinguish, yet, between owner, group, and other permissions. > > Perhaps /bin/login needs to be copied to /bin/login.caps, to deal with suid > logins. We have exactly the same problem with /bin/dd feeding > klogd... /bin/dd has sys_cap_admin capabilities. > > Gradm acl's can enforce these rules, but I also want userland (libcap and file > system permissions) to only give permissions as needed, so that gradm acl's > shouldn't need enforcement, and so logs of acl violations are kept to a > minimum. > > Libcap gives the program the guns, and gradm acl's strip searches the program > to check that they only have the guns they are authorized to have. We need > both... one can not be depended on to replace the other. > > I'm curious if there is advice for me on how to generalize the issue > with /bin/login and /bin/dd (for klogd), and loading gradm very early during > boot. > > robert >
You could create and use an initrd to perform some pre-init functionality as needed. -- Kevin Day -- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
