MAC_PORTACL Not Allowing Non-Super User Access to Port
Hello, Full documentation here: http://blog.cykyc.org/2009/05/macportacl-and-no-love.html Gist of it is that I enabled MAC_PORTACL and MAC, rebuilt the kernel and installed it for testing. I was not able to get a non-super user to open up a privileged port, though. What am I doing wrong? [2136] ~ sysctl -a security.mac security.mac.max_slots: 4 security.mac.version: 3 security.mac.mmap_revocation_via_cow: 0 security.mac.mmap_revocation: 1 security.mac.portacl.rules: security.mac.portacl.port_high: 1023 security.mac.portacl.autoport_exempt: 1 security.mac.portacl.suser_exempt: 1 security.mac.portacl.enabled: 1 [2136] ~ id uid=1001(foo) gid=0(wheel) groups=0(wheel) [2136] ~ sudo sysctl security.mac.portacl.rules=uid:1001:tcp:80 Password: security.mac.portacl.rules: - uid:1001:tcp:80 [2136] ~ nc -l 80 nc: Permission denied TIA, Jon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: MAC_PORTACL Not Allowing Non-Super User Access to Port
Nevermind, forgot to set the following: net.inet.ip.portrange.reservedlow: 0 net.inet.ip.portrange.reservedhigh: 0 With these set, portacl is working as expected. On Thu, May 28, 2009 at 11:55 AM, Jon Passki jon.pas...@hursk.com wrote: Hello, Full documentation here: http://blog.cykyc.org/2009/05/macportacl-and-no-love.html Gist of it is that I enabled MAC_PORTACL and MAC, rebuilt the kernel and installed it for testing. I was not able to get a non-super user to open up a privileged port, though. What am I doing wrong? [2136] ~ sysctl -a security.mac security.mac.max_slots: 4 security.mac.version: 3 security.mac.mmap_revocation_via_cow: 0 security.mac.mmap_revocation: 1 security.mac.portacl.rules: security.mac.portacl.port_high: 1023 security.mac.portacl.autoport_exempt: 1 security.mac.portacl.suser_exempt: 1 security.mac.portacl.enabled: 1 [2136] ~ id uid=1001(foo) gid=0(wheel) groups=0(wheel) [2136] ~ sudo sysctl security.mac.portacl.rules=uid:1001:tcp:80 Password: security.mac.portacl.rules: - uid:1001:tcp:80 [2136] ~ nc -l 80 nc: Permission denied TIA, Jon -- Cheers, Jon Passki, Partner The Hursk Group, LLC Obvia conspicimus, nubem pellente Mathesi. e: jon.pas...@hursk.com ph: 651/222.3020 cal: http://www.google.com/calendar/hosted/hursk.com/embed?src=jon.passki%40hursk.com pgp: 1BB0 A946 927B 93C3 ED6A 0466 6692 6C2C 84BE 4122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Creating a Super user Account
Hello, I work for United Automobile Insurance Group. We recently had our only employee with a super user account leave the company. No here knows this employees id or password to update information. Can you please advise how we can create new accounts and give someone a super user account without this information? Thank you in advance, Alena (305) 940-7299 ext. 2422 This email is confidential and it is intended solely for the use of the individual or entity to which it is addressed. If you are not the named addressee, you should not disseminate, distribute or copy this email. If you have received this email in error, please notify the sender by a Reply. If this email is addressed to or sent by an attorney, this email is either an attorney-client privileged communication or a work-product privileged communication, or both. The United Automobile Insurance Company as well as the sender and intended recipient of this email expressly reserve any and all rights to assert the aforesaid privileges, and do not waive any such rights thereto by virtue of an erroneous email transmission. This statement shall not hereafter be construed as limiting the assertion of any additional and further legal rights that the parties may have to limit or prohibit any further dissemination, distribution, copying or use of this email. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Creating a Super user Account
alena eckert wrote: Hello, I work for United Automobile Insurance Group. We recently had our only employee with a super user account leave the company. No here knows this employees id or password to update information. Can you please advise how we can create new accounts and give someone a super user account without this information? can you just ask the employee his password? there are ways to do this, but not without at least a little bit of FreeBSD/UNIX experience. How comfortable are you with working in the BSD environment with boot CDs, etc? Eric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Creating a Super user Account
On Tue, Oct 10, 2006 at 01:57:54PM -0400, alena eckert wrote: Hello, I work for United Automobile Insurance Group. We recently had our only employee with a super user account leave the company. No here knows this employees id or password to update information. Can you please advise how we can create new accounts and give someone a super user account without this information? Have a look at the Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/admin.html#FORGOT-ROOT-PW -- Jonathan Chen [EMAIL PROTECTED] -- Lots of folks confuse bad management with destiny - Kin Hubbard ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Creating a Super user Account
alena eckert [EMAIL PROTECTED] writes: I work for United Automobile Insurance Group. We recently had our only employee with a super user account leave the company. No here knows this employees id or password to update information. Can you please advise how we can create new accounts and give someone a super user account without this information? The is a Frequently Asked Question: I have forgotten the root password! What do I do? http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/admin.html#FORGOT-ROOT-PW This email is confidential and it is intended solely for the use of the individual or entity to which it is addressed. If you are not the named addressee, you should not disseminate, distribute or copy this email. If you have received this email in error, please notify the sender by a Reply. That entity is a public e-mail list, and as such, the whole message will be archived permanently on hundreds of web sites... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Creating a Super user Account
On Tue, Oct 10, 2006 at 01:57:54PM -0400, alena eckert wrote: Hello, I work for United Automobile Insurance Group. We recently had our only employee with a super user account leave the company. No here knows this employees id or password to update information. Can you please advise how we can create new accounts and give someone a super user account without this information? Look up information on booting in to single user mode. When you do this, you are effectively in root at the console with no network services or extra stuff running. Then, you merely need to: make sure the filesystems are clean - fsck(8) remount root with reae/write permission - mount(8) mount other filesystems you might need - mount(8) might as well turn on swap space- swapon(8) eg. fsck -p mount -u / mount -a swapon -a At this point you can use vipw(8) to add an account and passwd(1) to set or change passwords. vipw is a special version of the 'vi' editor that handles the passwd file. It takes care of locks, and updating the master passwd file and the password database so you don't have to do anything with them by hand. The editing rules in vipw are the same as in regular vi. The ideal thing is to copy the line with the root account on it and then dup it. Change the id name field and possible the home directory if you want to keep them separate. Then once you get out of vipw with a 'ESC : w q' (no spaces, I just put them there to be clear) which cause the changes to be written to the file, you then need to run passwd to set a password on the new account. passwd newid follow the prompts. Then, edit the /etc/group file and put your regular non-root id in the wheel group - just add it on the end of the list if any with a comma separating it from previous ones. Then, reboot. shutdown -r now log in as your regular id - that you just added to wheel group. then su to the new root id to do root work. su newid then give the newid password when it asks. When you get done with the work, leave the root account by typing exit at a system shell prompt This is better and a small amount more secure than setting a password on the regular root account. But, you can just put a password on the root account and su to it - just do the su without an id on the line. jerry Thank you in advance, Alena (305) 940-7299 ext. 2422 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: unable to do su from user to become super user
On Monday 10 October 2005 03:21 pm, you wrote: Damon Blom wrote: Hi FreeBSD presario.com 7.0-CURRENT FreeBSD 7.0-CURRENT #7: Sun Oct 9 22:44:53 PDT 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/MYKERNEL amd64 I cannot go from user to super user. su: error while loading shared libraries: libpam.so.0: cannot open shared object file: No such file or directory In contrast to what others have just posted, I don't think adding yourself to the wheel group will help much with this. system boots fine multiuser and I can login as root no problem. I just can't login as user and become root with su still a newbie. Thank's so much Damon If that last is true (still a newbie), then why on God's Green Earth are you running 7.0-CURRENT? When you run -CURRENT, you're generally expected to be able to deal with most issues like this yourself, at least in some limited way Did you read /src/UPDATING, for starters? Please note: I'm not trying to flame you. But I wonder if you're in over your head. I don't run -CURRENT, myself, but this is the sort of thing that sounds like you did something without meaning to Kevin Kinsey Hi My error! Error in path: set path = (/sbin /bin /usr/sbin /usr/games /usr/local/sbin /usr/local/bin /usr/bin /usr/X11R6/bin $HOME/bin) I've been with -CURRENT for years at home and have had no real problems. Unix has always been a part of me since I took Ken Thompson's OS class at Berkeley in 1976. Thank's for the reply. Damon Sorry to have wasted your time. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: unable to do su from user to become super user
On Monday 10 October 2005 01:01 pm, you wrote: On Monday 10 October 2005 11:39 am, Damon Blom wrote: Hi FreeBSD presario.com 7.0-CURRENT FreeBSD 7.0-CURRENT #7: Sun Oct 9 22:44:53 PDT 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/MYKERNEL amd64 I cannot go from user to super user. su: error while loading shared libraries: libpam.so.0: cannot open shared object file: No such file or directory In /usr/lib I added pointer from libpam.so.0 to libpam.so.3 snip *** -r--r--r-- 1 root wheel 2841092 Oct 10 07:28 libc.a lrwxr-xr-x 1 root wheel 14 Oct 10 07:28 libc.so - /lib/libc.so.6 -r--r--r-- 1 root wheel 2967924 Oct 10 07:28 libc_p.a -r--r--r-- 1 root wheel 3342666 Oct 10 07:28 libc_pic.a -r--r--r-- 1 root wheel 388758 Oct 10 07:28 libc_r.a lrwxr-xr-x 1 root wheel 11 Oct 10 07:28 libc_r.so - libc_r.so.6 -r--r--r-- 1 root wheel 129704 Aug 16 09:45 libc_r.so.5 -r--r--r-- 1 root wheel 130440 Oct 10 07:28 libc_r.so.6 -r--r--r-- 1 root wheel 404936 Oct 10 07:28 libc_r_p.a *** snip *** -r--r--r-- 1 root wheel 233062 Oct 10 07:28 libpam.a lrwxr-xr-x 1 root wheel 11 Oct 10 07:28 libpam.so - libpam.so.3 lrwxr-xr-x 1 root wheel 11 Oct 10 10:50 libpam.so.0 - libpam.so.3 -r--r--r-- 1 root wheel35544 Aug 16 09:45 libpam.so.2 -r--r--r-- 1 root wheel35584 Oct 10 07:28 libpam.so.3 *** snip *** rebuilt system (make buildworld buildkernel installkernel installworld) no help. I had just finished doing portupgrade -a did pkgdb -F I usually just do xdm and use kde as user. system boots fine multiuser and I can login as root no problem. I just can't login as user and become root with su still a newbie. Thank's so much Damon Did you add the user to /etc/group? wheel:*:0:root,username,username Beech --- Beech Rintoul - System Administrator - [EMAIL PROTECTED] /\ ASCII Ribbon Campaign | NorthWind Communications \ / - NO HTML/RTF in e-mail | 201 East 9th Avenue Ste.310 X - NO Word docs in e-mail | Anchorage, AK 99501 / \ --- Hi Thank's for reply! user damon is member of group wheel # $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ # root::0:0::0:0:Charlie :/root:/bin/csh toor:*:0:0::0:0:Bourne-again Superuser:/root: daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5::0:0:System :/:/usr/sbin/nologin bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin damon:$1$xmyLTZ71$QbxtyJwlbt2ezcDAV89fF.:1001:0::0:0:Damon Blom:/home/damon:/bin/tcsh pop3vscan:*:1002:6::0:0:POP3VScan Daemon:/var/spool/pop3vscan:/nonexistent clamav:*:106:106::0:0:Clam Antivirus:/nonexistent:/sbin/nologin cvsup:*:1003:1001::0:0:CVSup Daemon:/nonexistent:/nonexistent cvsupin:*:1004:1002::0:0:CVSup Client:/home/cvsupin:/nonexistent rpm:$1$PxiueKLd$kJ715xa.JLeIDXZeSNe2D/:1005:1005::0:0:rpm:/home/rpm:/bin/csh m /etc/group # $FreeBSD: src/etc/group,v 1.32 2005/06/06 20:19:56 brooks Exp $ # wheel:*:0:root daemon:*:1: kmem:*:2: sys:*:3: tty:*:4: operator:*:5:root mail:*:6:clamav clipped *** this is output from uname -a Linux presario.com 2.4.2 FreeBSD 7.0-CURRENT #7: Sun Oct 9 22:44:53 PDT 2005 i686 i686 i386 GNU/Linux I don't know how Linux got into uname. I'll just use sudo from user damon. Thank's Damon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
unable to do su from user to become super user
Hi FreeBSD presario.com 7.0-CURRENT FreeBSD 7.0-CURRENT #7: Sun Oct 9 22:44:53 PDT 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/MYKERNEL amd64 I cannot go from user to super user. su: error while loading shared libraries: libpam.so.0: cannot open shared object file: No such file or directory In /usr/lib I added pointer from libpam.so.0 to libpam.so.3 snip *** -r--r--r-- 1 root wheel 2841092 Oct 10 07:28 libc.a lrwxr-xr-x 1 root wheel 14 Oct 10 07:28 libc.so - /lib/libc.so.6 -r--r--r-- 1 root wheel 2967924 Oct 10 07:28 libc_p.a -r--r--r-- 1 root wheel 3342666 Oct 10 07:28 libc_pic.a -r--r--r-- 1 root wheel 388758 Oct 10 07:28 libc_r.a lrwxr-xr-x 1 root wheel 11 Oct 10 07:28 libc_r.so - libc_r.so.6 -r--r--r-- 1 root wheel 129704 Aug 16 09:45 libc_r.so.5 -r--r--r-- 1 root wheel 130440 Oct 10 07:28 libc_r.so.6 -r--r--r-- 1 root wheel 404936 Oct 10 07:28 libc_r_p.a *** snip *** -r--r--r-- 1 root wheel 233062 Oct 10 07:28 libpam.a lrwxr-xr-x 1 root wheel 11 Oct 10 07:28 libpam.so - libpam.so.3 lrwxr-xr-x 1 root wheel 11 Oct 10 10:50 libpam.so.0 - libpam.so.3 -r--r--r-- 1 root wheel35544 Aug 16 09:45 libpam.so.2 -r--r--r-- 1 root wheel35584 Oct 10 07:28 libpam.so.3 *** snip *** rebuilt system (make buildworld buildkernel installkernel installworld) no help. I had just finished doing portupgrade -a did pkgdb -F I usually just do xdm and use kde as user. system boots fine multiuser and I can login as root no problem. I just can't login as user and become root with su still a newbie. Thank's so much Damon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: unable to do su from user to become super user
On Monday 10 October 2005 11:39 am, Damon Blom wrote: Hi FreeBSD presario.com 7.0-CURRENT FreeBSD 7.0-CURRENT #7: Sun Oct 9 22:44:53 PDT 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/MYKERNEL amd64 I cannot go from user to super user. su: error while loading shared libraries: libpam.so.0: cannot open shared object file: No such file or directory In /usr/lib I added pointer from libpam.so.0 to libpam.so.3 snip *** -r--r--r-- 1 root wheel 2841092 Oct 10 07:28 libc.a lrwxr-xr-x 1 root wheel 14 Oct 10 07:28 libc.so - /lib/libc.so.6 -r--r--r-- 1 root wheel 2967924 Oct 10 07:28 libc_p.a -r--r--r-- 1 root wheel 3342666 Oct 10 07:28 libc_pic.a -r--r--r-- 1 root wheel 388758 Oct 10 07:28 libc_r.a lrwxr-xr-x 1 root wheel 11 Oct 10 07:28 libc_r.so - libc_r.so.6 -r--r--r-- 1 root wheel 129704 Aug 16 09:45 libc_r.so.5 -r--r--r-- 1 root wheel 130440 Oct 10 07:28 libc_r.so.6 -r--r--r-- 1 root wheel 404936 Oct 10 07:28 libc_r_p.a *** snip *** -r--r--r-- 1 root wheel 233062 Oct 10 07:28 libpam.a lrwxr-xr-x 1 root wheel 11 Oct 10 07:28 libpam.so - libpam.so.3 lrwxr-xr-x 1 root wheel 11 Oct 10 10:50 libpam.so.0 - libpam.so.3 -r--r--r-- 1 root wheel35544 Aug 16 09:45 libpam.so.2 -r--r--r-- 1 root wheel35584 Oct 10 07:28 libpam.so.3 *** snip *** rebuilt system (make buildworld buildkernel installkernel installworld) no help. I had just finished doing portupgrade -a did pkgdb -F I usually just do xdm and use kde as user. system boots fine multiuser and I can login as root no problem. I just can't login as user and become root with su still a newbie. Thank's so much Damon Did you add the user to /etc/group? wheel:*:0:root,username,username Beech --- Beech Rintoul - System Administrator - [EMAIL PROTECTED] /\ ASCII Ribbon Campaign | NorthWind Communications \ / - NO HTML/RTF in e-mail | 201 East 9th Avenue Ste.310 X - NO Word docs in e-mail | Anchorage, AK 99501 / \ --- pgpeErz8Rg2lc.pgp Description: PGP signature
Re: unable to do su from user to become super user
On 10/10/05, Damon Blom [EMAIL PROTECTED] wrote: Hi FreeBSD presario.com 7.0-CURRENT FreeBSD 7.0-CURRENT #7: Sun Oct 9 22:44:53 PDT 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/MYKERNEL amd64 I cannot go from user to super user. By default on FreeBSD, users must be a member of the group wheel in order to su to root. Aaron ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: unable to do su from user to become super user
Damon Blom wrote: Hi FreeBSD presario.com 7.0-CURRENT FreeBSD 7.0-CURRENT #7: Sun Oct 9 22:44:53 PDT 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/MYKERNEL amd64 I cannot go from user to super user. su: error while loading shared libraries: libpam.so.0: cannot open shared object file: No such file or directory In contrast to what others have just posted, I don't think adding yourself to the wheel group will help much with this. system boots fine multiuser and I can login as root no problem. I just can't login as user and become root with su still a newbie. Thank's so much Damon If that last is true (still a newbie), then why on God's Green Earth are you running 7.0-CURRENT? When you run -CURRENT, you're generally expected to be able to deal with most issues like this yourself, at least in some limited way Did you read /src/UPDATING, for starters? Please note: I'm not trying to flame you. But I wonder if you're in over your head. I don't run -CURRENT, myself, but this is the sort of thing that sounds like you did something without meaning to Kevin Kinsey ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Super User
Hi, I wanting to know how I can add a user to the super use list so that I can log in remote and sudo commands. I have notice that unlike linux, root may not ssh in, which I think is cool, but unless I can create a super user, or add to the list that let's me run root commands kinda hard to admin a freebsd server. Payne ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Super User
I wanting to know how I can add a user to the super use list so that I can log in remote and sudo commands. I have notice that unlike linux, root may not ssh in, which I think is cool, but unless I can create a super user, or add to the list that let's me run root commands kinda hard to admin a freebsd server. Add the user to the wheel group. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]