Re: [gentoo-user] Re: Block root user from login on xorg GUI
Am Samstag 14 November 2009 23:50:42 schrieb Alan McKinnon: On Saturday 14 November 2009 22:46:18 Dirk Heinrichs wrote: Am Samstag 14 November 2009 16:13:04 schrieb Nikos Chantziaras: Ever heard about make menuconfig? ??? The account foolishly being prevented from bypassing SELinux is root. So, configure a new kernel, disable SELinux, build, install, reboot. Voila! No SELinux. Or, Edit grub.conf, reboot. Voila! No SELinux. Or, (as SELinux can be used to prevent access to grub.conf) Just hit the damn power button and edit the kernel options in the grub command line. Compile in kernel options, configure the kernel not to accept additional ones. Damn power button rendered useless. Trying to prevent root from doing $STUFF on a pc is utterly and completely pointless and simply will not succeed, ever. There is hardware where this can be done, but it's not a PC, has no Intel designs in it and is often truly secured with armed guards. This all implies physical access to the machine, right? trying to prevent root from doing $STUFF on Unix is utterly and completely pointless and simply will not succeed, ever. There are OSes where this can be done, but they are not Unix. By definition, on Unix root can do anything, including bypassing systems to prevent root from doing anything. SELinux allows to spread the tasks root needs to do or can do accross several roles. Of course, if only one single person has root access to the system this doesn't make sense. But we're talking about cases where several people (incl. the malicious attacker) have root access. So you can very well configure a (SE-)Linux system so that root can't do everything. Bye... Dirk signature.asc Description: This is a digitally signed message part.
[gentoo-user] Re: Block root user from login on xorg GUI
On 11/15/2009 11:22 AM, Dirk Heinrichs wrote: SELinux allows to spread the tasks root needs to do or can do accross several roles. Of course, if only one single person has root access to the system this doesn't make sense. But we're talking about cases where several people (incl. the malicious attacker) have root access. So you can very well configure a (SE-)Linux system so that root can't do everything. So how do you get your machine back if you forbid yourself to change its configuration then?
Re: [gentoo-user] Re: Block root user from login on xorg GUI
On Sunday 15 November 2009 16:40:48 Nikos Chantziaras wrote: On 11/15/2009 11:22 AM, Dirk Heinrichs wrote: SELinux allows to spread the tasks root needs to do or can do accross several roles. Of course, if only one single person has root access to the system this doesn't make sense. But we're talking about cases where several people (incl. the malicious attacker) have root access. So you can very well configure a (SE-)Linux system so that root can't do everything. So how do you get your machine back if you forbid yourself to change its configuration then? reboot|power down|pull power plug out|whatever and edit kernel config line to not laod selinux -- alan dot mckinnon at gmail dot com
[gentoo-user] Re: Block root user from login on xorg GUI
On 11/12/2009 10:01 PM, Mick wrote: I should know how to do this ... It isn't as simple as commenting out vc7 in /etc/securetty, right? The persistent offenders would try to start another X session on a different vc. Is there a trick I could add in /etc/pam.d/login or one of the /etc/pam.d/gdm* files perhaps? You cannot impose any restrictions to the root user. root is unrestricted by definition. It's useless to even start thinking about trying. What you *can* do, is give them a VPS inside of which they are root.
Re: [gentoo-user] Re: Block root user from login on xorg GUI
Am Samstag 14 November 2009 10:21:35 schrieb Nikos Chantziaras: You cannot impose any restrictions to the root user. root is unrestricted by definition. It's useless to even start thinking about trying. Ever heard about SELinux? Bye... Dirk signature.asc Description: This is a digitally signed message part.
[gentoo-user] Re: Block root user from login on xorg GUI
On 11/14/2009 12:12 PM, Dirk Heinrichs wrote: Am Samstag 14 November 2009 10:21:35 schrieb Nikos Chantziaras: You cannot impose any restrictions to the root user. root is unrestricted by definition. It's useless to even start thinking about trying. Ever heard about SELinux? Bye... Ever heard about make menuconfig? Bye...
Re: [gentoo-user] Re: Block root user from login on xorg GUI
On Saturday 14 November 2009 17:13:04 Nikos Chantziaras wrote: On 11/14/2009 12:12 PM, Dirk Heinrichs wrote: Am Samstag 14 November 2009 10:21:35 schrieb Nikos Chantziaras: You cannot impose any restrictions to the root user. root is unrestricted by definition. It's useless to even start thinking about trying. Ever heard about SELinux? Bye... Ever heard about make menuconfig? Or: Ever heard about keyboard, power switch, terminal and the ability to touch all three? -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Re: Block root user from login on xorg GUI
Am Samstag 14 November 2009 16:13:04 schrieb Nikos Chantziaras: Ever heard about make menuconfig? ??? Bye... Dirk signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: Block root user from login on xorg GUI
On Saturday 14 November 2009 22:46:18 Dirk Heinrichs wrote: Am Samstag 14 November 2009 16:13:04 schrieb Nikos Chantziaras: Ever heard about make menuconfig? ??? The account foolishly being prevented from bypassing SELinux is root. So, configure a new kernel, disable SELinux, build, install, reboot. Voila! No SELinux. Or, Edit grub.conf, reboot. Voila! No SELinux. Or, (as SELinux can be used to prevent access to grub.conf) Just hit the damn power button and edit the kernel options in the grub command line. Voila! No SELinux. Lessons learned: Trying to prevent root from doing $STUFF on a pc is utterly and completely pointless and simply will not succeed, ever. There is hardware where this can be done, but it's not a PC, has no Intel designs in it and is often truly secured with armed guards. trying to prevent root from doing $STUFF on Unix is utterly and completely pointless and simply will not succeed, ever. There are OSes where this can be done, but they are not Unix. By definition, on Unix root can do anything, including bypassing systems to prevent root from doing anything. -- alan dot mckinnon at gmail dot com