You can subscribe to this list here.
2001 |
Jan
|
Feb
|
Mar
(174) |
Apr
(142) |
May
(116) |
Jun
(88) |
Jul
(171) |
Aug
(111) |
Sep
(59) |
Oct
(112) |
Nov
(176) |
Dec
(79) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2002 |
Jan
(350) |
Feb
(98) |
Mar
(137) |
Apr
(94) |
May
(75) |
Jun
(59) |
Jul
(55) |
Aug
(31) |
Sep
(33) |
Oct
(48) |
Nov
(29) |
Dec
(44) |
2003 |
Jan
(27) |
Feb
(39) |
Mar
(11) |
Apr
(23) |
May
(34) |
Jun
(48) |
Jul
(59) |
Aug
(37) |
Sep
(31) |
Oct
(31) |
Nov
(29) |
Dec
(37) |
2004 |
Jan
(27) |
Feb
(33) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Yusuf W. P. <yw...@us...> - 2004-02-26 19:36:18
|
Hi, Here you are, LIDS 1.1.2p3 and LIDS 1.2.0rc2 for kernel 2.4.25. :-) Both consist mostly of simple code cleanups and coding style modification based on Lindent. Again, kernel 2.4.XX users are advised to start using LIDS 1.2.X. This will help migrate to LIDS 2.0.X on kernels 2.6.X. Please enjoy! Regards, purna -- Yusuf Wilajati Purna <yw...@us...> 1024D/7354A078 Key fingerprint = 7F4F 8433 C65F 3502 BC93 F529 BFDE F939 7354 A078 |
From: Sander K. <ro...@ro...> - 2004-02-24 22:03:11
|
Hey, On Tue, 2004-02-24 at 22:02, m.r...@ti... wrote: > 1- what does you means ACL ( access control list )? > is another name for a boot script in /etc/rc* in which place all my rules ? ACL is the name for al your rules together. If you setup some rules for a program then this is called an access control list. Because you control the access of the programs... > 2- I have encrypted my /var fs with cryptoapi and, for this reason the encripting script is executed before anyother boot.rc, so : I should > "HAVE" to execute it also before lids.rc ( also 'cuz lids won't find logs to protect ),can I do it or not? and if not what sould I d > to go around this? Your lids.rc should be executed last in you bootscript. So the script that mounts you var wil automaticaly run before it. > 3- well once solved those problem the next will be : I read the FAQ and it sais that processes will not inherit the parent's acl, but in my > case the problem is different may I hide the crypted file which contains /var ( http://www.kerneli.org/howto/node3.php ) without > having problems about mounting it? I supose you need to give losetup rights to access the encrypted file. After you have setup the loop device you just use mount to mount the device. This shouldn't give any problems. As long as the inode of the encrypted file does not change. I don't think it will change because only the content of the encrpyted file is changed, not the file itself. Hope this helps a bit. Greets, Sander --- BOFH excuse #136: Daemons loose in system. |
From: <m.r...@ti...> - 2004-02-24 21:16:41
|
Hi ya all, again, may any1 help me with this? my quests are: 1- what does you means ACL ( access control list )? is another name for a boot script in /etc/rc* in which place all my rules ? 2- I have encrypted my /var fs with cryptoapi and, for this reason the encripting script is executed before anyother boot.rc, so : I should "HAVE" to execute it also before lids.rc ( also 'cuz lids won't find logs to protect ),can I do it or not? and if not what sould I d to go around this? 3- well once solved those problem the next will be : I read the FAQ and it sais that processes will not inherit the parent's acl, but in my case the problem is different may I hide the crypted file which contains /var ( http://www.kerneli.org/howto/node3.php ) without having problems about mounting it? Thanx for patience PS: thanx Huagang Xie m.roberto.d -- "If a train station is where a train stops. Then what stops at a workstation?" |
From: Allstarsales <all...@st...> - 2004-02-24 08:35:33
|
heh :)) |
From: Yusuf W. P. <yw...@us...> - 2004-02-21 01:46:23
|
Hi, Torben Krause wrote: > Hello, > > i use the debian woody distribution. i downloaded the latest stable lids > kernel patch and have patched my 2.4.24 vanilla kernel. Patching the > kernel itself succeed without any error. > During the compilation process i got the following error message: > > fork.c : In function 'copy_lids_sys_acl' > fork.c : 601 parse error before ')' > > In the kernel configuration menu i choose the options > CONFIG_EXPERIMENRAL=y and SYSCTRL=y > Maybe, there is still some minor bug in LIDS_DBG. Please try not to set this feature when configuring the kernel: [*] Linux Intrusion Detection System support (EXPERIMENTAL) --- LIDS Features ... ... [ ] LIDS Debug <-- this feature Regards, purna -- Yusuf Wilajati Purna <yw...@us...> 1024D/7354A078 Key fingerprint = 7F4F 8433 C65F 3502 BC93 F529 BFDE F939 7354 A078 |
From: Torben K. <tor...@gm...> - 2004-02-20 23:12:28
|
Hello, i use the debian woody distribution. i downloaded the latest stable lids kernel patch and have patched my 2.4.24 vanilla kernel. Patching the kernel itself succeed without any error. During the compilation process i got the following error message: fork.c : In function 'copy_lids_sys_acl' fork.c : 601 parse error before ')' In the kernel configuration menu i choose the options CONFIG_EXPERIMENRAL=y and SYSCTRL=y What's wrong ? Torben K. |
From: <m.r...@ti...> - 2004-02-20 19:17:06
|
Hi ya all, again, may any1 help me with this? my quests are: 1- what does you means ACL ( access control list )? is another name for a boot script in /etc/rc* in which place all my rules ? 2- I have encrypted my /var fs with cryptoapi and, for this reason the encripting script is executed before anyother boot.rc, so : I should "HAVE" to execute it also before lids.rc ( also 'cuz lids won't find logs to protect ),can I do it or not? and if not what sould I d to go around this? 3- well once solved those problem the next will be : I read the FAQ and it sais that processes will not inherit the parent's acl, but in my case the problem is different may I hide the crypted file which contains /var ( http://www.kerneli.org/howto/node3.php ) without having problems about mounting it? Thanx for patience PS: thanx Huagang Xie m.roberto.d -- "If a train station is where a train stops. Then what stops at a workstation?" |
From: Huagang X. <xi...@ww...> - 2004-02-20 05:38:36
|
It is a bug..try following patch ------------------------- cut here ----------------------------------------= ----------- diff -u -r1.1.1.1 lidsconf.c --- lidsconf.c 17 Feb 2004 06:20:27 -0000 1.1.1.1 +++ lidsconf.c 20 Feb 2004 05:29:07 -0000 @@ -802,7 +802,7 @@ exit_error(2,"you must define the default r= ules for object files"); } /* if current type have less persmission of defualt _rule */ - if( type < default_rule ) { + if( type < default_rule && !sys_cap ) { exit_error(2,"the type is less than default permssi= on, this rule is useless"); } } ---------------------- cut here -------------------------------------------= ---------------- The problem is, this checking should only performance on all the acl with a= "SUBJECT", for other acl without a "SUBJECT", you can do any thing you wan= t..:-). Thanks for reporting the bug! It will be release in next version. Huagang On Tue, Feb 17, 2004 at 12:50:13AM +0100, nils toedtmann wrote: > Hi again, >=20 > i checked out the latest lids versions. With lidstools-0.4.3p1=20 > (from lids-1.1.2p2) this works: >=20 > # lidsconf -A -o /etc -j READONLY > # lidsconf -A -o /etc/ipsec.secrets -j DENY >=20 > But lidstools-0.5.2p1 (from lids-1.2.0rc1) rejects the second rule=20 > with "lidsconf: the type is less than default permssion, this=20 > rule is useless". But that rule _IS_ actually stronger than the=20 > READONLY permission on the parent directory. >=20 > Where is my mistake? >=20 > /nils. >=20 >=20 > On Thu, Feb 12, 2004 at 07:57:24PM +0100, nils toedtmann wrote: > > Hi, > >=20 > > i try to upgrade from lids-1.1.2, kernel-2.4.23 with some older > > lidstools (1.1.1r2 or so) to 1.1.3pre1-purna3 (from Yusuf, thanks > > for the work!) with lidstools-0.5.1 and kernel 2.4.24. Everything=20 > > compiled fine. Now i try to setup the lids.conf with my old make=20 > > script (while running the kernel with "lids=3D0"). But i get many > >=20 > > "lidsconf: the type is less than default permssion, this rule is usel= ess" > >=20 > > messages. I traced it down to this situation: > >=20 > > # lidsconf -A -o /etc -j READONLY > > # lidsconf -A -o /etc/ipsec.secrets -j DENY > > lidsconf: the type is less than default permssion, this rule is usele= ss > > =20 > > When i switch the rules > >=20 > > # lidsconf -A -o /etc/ipsec.secrets -j DENY > > # lidsconf -A -o /etc -j READONLY > >=20 > > everything is fine. I'm sure the first ruleset worked on my former > > lidssystem.=20 > >=20 > > Do i really have to reorganize my makescript to work with the new > > lidsconf (or to split it up in BOOT and POSTBOOT)? >=20 > --=20 > ___________________________________________________________ > CONFIDENTIALITY NOTICE > The contents of this email are confidential to the ordinary user of the > email address to which it was addressed and may also be privileged. If you > are not the addressee of this email you may not copy, forward, disclose or > otherwise use it or any part of it in any form whatsoever. If you have > received this email in error please email the sender by replying to this > message. > ___________________________________________________________ > ... that's for the legal department. Now the actual sig: > -- > nils toedtmann > department for technical paranoia > marcant internet-services gmbh <http://www.marcant.net/> > -- ceterum censeo, some networks have to get renumbered -- >=20 >=20 > ------------------------------------------------------- > SF.Net is sponsored by: Speed Start Your Linux Apps Now. > Build and deploy apps & Web services for Linux with > a free DVD software kit from IBM. Click Now! > http://ads.osdn.com/?ad_id=3D1356&alloc_id=3D3438&op=3Dclick > _______________________________________________ > lids-user mailing list > lid...@li... > https://lists.sourceforge.net/lists/listinfo/lids-user --=20 LIDS secure linux kernel http://www.lids.org/ 1024D/B6EFB028 4731 2BF7 7735 4DBD 3771 4E24 B53B B60A B6EF B028 |
From: Huagang X. <xi...@ww...> - 2004-02-20 05:20:40
|
Hello.. when config the kernel, make sure that there is no other modules compiled i= nto the kernel.=20 see the options below, DO NOT select "Default Linux Capabilities" and "NSA = SELinux Support" as "*"(in the kernel). LIDS can not stack with other security modules now.= =20 [*] Enable different security models=20 [*] Socket and Networking Security Hooks < > Default Linux Capabilities=20 Linux Intrusion Detection System --->=20 < > Root Plug Support=20 [ ] NSA SELinux Support=20 Thanks, Huagang On Thu, Feb 19, 2004 at 10:59:53PM +0100, m.r...@ti... wrote: > Hi ya all,=20 > may I ask an help?!? > I use kernel 2.6.2v, patched with lots of hacks , an' with lids too, my p= roblem is that after recompiling my kernel, > # modprobe lids > returns: > There is already a security framework initialized, register_security fail= ed. > Failure registering LIDS with the kernel > FATAL: Error inserting lids (/lib/modules/2.6.2-lids/kernel/security/lids= /lids.ko): Invalid argument > and it sais the same thing also recompiling lids native in the kernel, so= I've even setup lids acl but I can't use it!! > Sh#t!..., sorry. > Can anyone help me? > Tnx=20 > M. Roberto D. > --=20 > "If a train station is where a train stops. Then what stops at a workstat= ion?" >=20 >=20 > ------------------------------------------------------- > SF.Net is sponsored by: Speed Start Your Linux Apps Now. > Build and deploy apps & Web services for Linux with > a free DVD software kit from IBM. Click Now! > http://ads.osdn.com/?ad_id=3D1356&alloc_id=3D3438&op=3Dclick > _______________________________________________ > lids-user mailing list > lid...@li... > https://lists.sourceforge.net/lists/listinfo/lids-user --=20 LIDS secure linux kernel http://www.lids.org/ 1024D/B6EFB028 4731 2BF7 7735 4DBD 3771 4E24 B53B B60A B6EF B028 |
From: <m.r...@ti...> - 2004-02-19 23:40:23
|
Part 2: I've done as lids faq sais, but booting with: lilo: mykernel lids=0 the results is : On Thu, 19 Feb 2004 22:59:53 +0100 "m.r...@ti..." <m.r...@ti...> wrote: palmbeach:~# lidsadm -I INIT open: No such file or directory lidsadm: cannot open /proc/sys/lids/locks always me tnx again m.roberto.d > Hi ya all, > may I ask an help?!? > I use kernel 2.6.2v, patched with lots of hacks , an' with lids too, my problem is that after recompiling my kernel, > # modprobe lids > returns: > There is already a security framework initialized, register_security failed. > Failure registering LIDS with the kernel > FATAL: Error inserting lids (/lib/modules/2.6.2-lids/kernel/security/lids/lids.ko): Invalid argument > and it sais the same thing also recompiling lids native in the kernel, so I've even setup lids acl but I can't use it!! > Sh#t!..., sorry. > Can anyone help me? > Tnx > M. Roberto D. > -- > "If a train station is where a train stops. Then what stops at a workstation?" > > > ------------------------------------------------------- > SF.Net is sponsored by: Speed Start Your Linux Apps Now. > Build and deploy apps & Web services for Linux with > a free DVD software kit from IBM. Click Now! > http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click > _______________________________________________ > lids-user mailing list > lid...@li... > https://lists.sourceforge.net/lists/listinfo/lids-user > -- "If a train station is where a train stops. Then what stops at a workstation?" |
From: <m.r...@ti...> - 2004-02-19 22:11:08
|
Hi ya all, may I ask an help?!? I use kernel 2.6.2v, patched with lots of hacks , an' with lids too, my problem is that after recompiling my kernel, # modprobe lids returns: There is already a security framework initialized, register_security failed. Failure registering LIDS with the kernel FATAL: Error inserting lids (/lib/modules/2.6.2-lids/kernel/security/lids/lids.ko): Invalid argument and it sais the same thing also recompiling lids native in the kernel, so I've even setup lids acl but I can't use it!! Sh#t!..., sorry. Can anyone help me? Tnx M. Roberto D. -- "If a train station is where a train stops. Then what stops at a workstation?" |
From: Huagang X. <xi...@ww...> - 2004-02-17 07:14:20
|
Hello, Thanks for your submitting the new logos, you can check it now=20 on http://www.lids.org/logos.html Thanks, Huagang On Fri, Jan 30, 2004 at 01:29:48PM -0700, Jesse Bessette wrote: >=20 > was bored and thougt i would have a go @ a few logos, all are the same > however different colors >=20 >=20 > Yous site rocks >=20 > References >=20 > 1. mailto:jb...@eh... --=20 LIDS secure linux kernel http://www.lids.org/ 1024D/B6EFB028 4731 2BF7 7735 4DBD 3771 4E24 B53B B60A B6EF B028 |
From: nils t. <nto...@ma...> - 2004-02-16 23:54:19
|
Hi again, i checked out the latest lids versions. With lidstools-0.4.3p1 (from lids-1.1.2p2) this works: # lidsconf -A -o /etc -j READONLY # lidsconf -A -o /etc/ipsec.secrets -j DENY But lidstools-0.5.2p1 (from lids-1.2.0rc1) rejects the second rule with "lidsconf: the type is less than default permssion, this rule is useless". But that rule _IS_ actually stronger than the READONLY permission on the parent directory. Where is my mistake? /nils. On Thu, Feb 12, 2004 at 07:57:24PM +0100, nils toedtmann wrote: > Hi, > > i try to upgrade from lids-1.1.2, kernel-2.4.23 with some older > lidstools (1.1.1r2 or so) to 1.1.3pre1-purna3 (from Yusuf, thanks > for the work!) with lidstools-0.5.1 and kernel 2.4.24. Everything > compiled fine. Now i try to setup the lids.conf with my old make > script (while running the kernel with "lids=0"). But i get many > > "lidsconf: the type is less than default permssion, this rule is useless" > > messages. I traced it down to this situation: > > # lidsconf -A -o /etc -j READONLY > # lidsconf -A -o /etc/ipsec.secrets -j DENY > lidsconf: the type is less than default permssion, this rule is useless > > When i switch the rules > > # lidsconf -A -o /etc/ipsec.secrets -j DENY > # lidsconf -A -o /etc -j READONLY > > everything is fine. I'm sure the first ruleset worked on my former > lidssystem. > > Do i really have to reorganize my makescript to work with the new > lidsconf (or to split it up in BOOT and POSTBOOT)? -- ___________________________________________________________ CONFIDENTIALITY NOTICE The contents of this email are confidential to the ordinary user of the email address to which it was addressed and may also be privileged. If you are not the addressee of this email you may not copy, forward, disclose or otherwise use it or any part of it in any form whatsoever. If you have received this email in error please email the sender by replying to this message. ___________________________________________________________ ... that's for the legal department. Now the actual sig: -- nils toedtmann department for technical paranoia marcant internet-services gmbh <http://www.marcant.net/> -- ceterum censeo, some networks have to get renumbered -- |
From: Sander K. <s....@qu...> - 2004-02-14 17:33:58
|
Did you also check off the "Enable different security models" option. Because that one is also needed. After that you can press enter on the "Linux Intrusion Detection System" option. Greets, Sander Klein On Sat, 2004-02-14 at 17:36, Rhyss Jones wrote: > Hi, > > I am new to Lids so please forgive me if this is a newbie Q'n, but, while > running > #make menuconfig > > I have checked off :- > [*] Prompt for development and/or incomplete code/drivers > [*] Sysctl support > > I have the option:- > Linux Intrusion Detection System ---> > > When I press enter (as the program explains <Enter> selects submenus --->.) > the screen flickers and refreshes. (ie. I have no submenu options). > > Can someone please explain my error (and fix). > > Thankyou. > > _________________________________________________________________ > Hot chart ringtones and polyphonics. Go to > http://ninemsn.com.au/mobilemania/default.asp > > > > ------------------------------------------------------- > SF.Net is sponsored by: Speed Start Your Linux Apps Now. > Build and deploy apps & Web services for Linux with > a free DVD software kit from IBM. Click Now! > http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click > _______________________________________________ > lids-user mailing list > lid...@li... > https://lists.sourceforge.net/lists/listinfo/lids-user --- BOFH excuse #97: Small animal kamikaze attack on power supplies |
From: Rhyss J. <rhy...@ho...> - 2004-02-14 16:39:29
|
Hi, I am new to Lids so please forgive me if this is a newbie Q'n, but, while running #make menuconfig I have checked off :- [*] Prompt for development and/or incomplete code/drivers [*] Sysctl support I have the option:- Linux Intrusion Detection System ---> When I press enter (as the program explains <Enter> selects submenus --->.) the screen flickers and refreshes. (ie. I have no submenu options). Can someone please explain my error (and fix). Thankyou. _________________________________________________________________ Hot chart ringtones and polyphonics. Go to http://ninemsn.com.au/mobilemania/default.asp |
From: Yusuf W. P. <yw...@us...> - 2004-02-14 12:25:47
|
Hi, LIDS Project is pleased to announce the release of LIDS 1.2.0rc1 for kernel 2.4.24. LIDS 1.2.X is LIDS for kernel 2.4.XX with LIDS 2.0 features. Most of the current LIDS 2.0 features has been backported to this series. Different from LIDS 2.0, however, LIDS 1.2.X is not an LSM hooks based security module. Linux Kernel 2.4.XX users are advised to start using LIDS 1.2.X. This will help migrate to LIDS 2.0.X on kernels 2.6.X. Download it from www.lids.org, and please enjoy! Regards, purna -- Yusuf Wilajati Purna <yw...@us...> 1024D/7354A078 Key fingerprint = 7F4F 8433 C65F 3502 BC93 F529 BFDE F939 7354 A078 |
From: Yusuf W. P. <yw...@us...> - 2004-02-14 12:21:49
|
Hi, LIDS Project is pleased to announce the release of LIDS 1.1.2p2 for kernel 2.4.24. LIDS 1.1.2p2 is a merely bug fixed version of LIDS 1.1.2 for kernel 2.4.24. No major new features, including LIDS 2.0 features, are included in this patch series. This patch fixed a minor bug on CAP_SETUID/CAP_SETGID enhancement introduced into LIDS 1.1.2p1. Download it from www.lids.org, and please enjoy! Regards, purna -- Yusuf Wilajati Purna <yw...@us...> 1024D/7354A078 Key fingerprint = 7F4F 8433 C65F 3502 BC93 F529 BFDE F939 7354 A078 |
From: Yusuf W. P. <yw...@us...> - 2004-02-12 22:13:45
|
Hi, Sander Klein wrote: > Hi, > > Could there be something wrong with the lids CAP_SETUID/CAP_SETGID > checking in lids 1.1.2p1? > > If got the following rules for su: > > --- > $LIDS -A -s /bin/su -o /etc/shadow -j READONLY > $LIDS -A -s /bin/su -o CAP_SETUID -j GRANT > $LIDS -A -s /bin/su -o CAP_SETGID -j GRANT > --- > > But when I try to su it tells me that unix_chpwd needs access > /etc/passwd. I grant it access (it has never needed it before though) > and the I see that su needs CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH. > (Never seen this before either) > > So, now my rulebase looks like this: > > --- > $LIDS -A -s /bin/su -o /etc/shadow -j READONLY > $LIDS -A -s /bin/su -o CAP_SETUID -j GRANT > $LIDS -A -s /bin/su -o CAP_SETGID -j GRANT > $LIDS -A -s /bin/su -o CAP_DAC_OVERRIDE -j GRANT > $LIDS -A -s /bin/su -o CAP_DAC_READ_SEARCH -j GRANT > > $LIDS -A -s /sbin/unix_chkpwd -o /etc/shadow -j READONLY > --- > > But, now when I try to use su it tells me that bash tries to setuid > --- > LIDS: bash (dev 3:2 inode 64581) pid 1736 ppid 1695 uid/gid (1000/1000) > on (pts) : violated CAP_SETUID > --- > This is maybe an unexpected effect of the small enhancement to CAP_SETUID/CAP_SETGID I have introduced into 1.1.2p1. With this enhancement, disabling CAP_SETUID/CAP_SETGID prevents a setuid/setgid program from being run with the euid/egid set to the uid/gid of the file's owner. Thus, the program will run as the usual non-setuid/setgid program. I don't check the problem in detail, yet. But, you can try to wrap "su" with a script, and grant the script with CAP_SETUID/CAP_SETGID, properly. Thus, for example, $ cat /bin/mysu #!/bin/bash /bin/su $lidsconf -A -s /bin/mysu -o CAP_SETUID -i 1 -j GRANT $lidsconf -A -s /bin/mysu -o CAP_SETGID -i 1 -j GRANT And, see if you can do "su" using /bin/mysu or not. Thank you, purna -- Yusuf Wilajati Purna <yw...@us...> 1024D/7354A078 Key fingerprint = 7F4F 8433 C65F 3502 BC93 F529 BFDE F939 7354 A078 |
From: nils t. <nto...@ma...> - 2004-02-12 18:58:58
|
Hi, i try to upgrade from lids-1.1.2, kernel-2.4.23 with some older lidstools (1.1.1r2 or so) to 1.1.3pre1-purna3 (from Yusuf, thanks for the work!) with lidstools-0.5.1 and kernel 2.4.24. Everything compiled fine. Now i try to setup the lids.conf with my old make script (while running the kernel with "lids=0"). But i get many "lidsconf: the type is less than default permssion, this rule is useless" messages. I traced it down to this situation: # lidsconf -A -o /etc -j READONLY # lidsconf -A -o /etc/ipsec.secrets -j DENY lidsconf: the type is less than default permssion, this rule is useless When i switch the rules # lidsconf -A -o /etc/ipsec.secrets -j DENY # lidsconf -A -o /etc -j READONLY everything is fine. I'm sure the first ruleset worked on my former lidssystem. Do i really have to reorganize my makescript to work with the new lidsconf (or to split it up in BOOT and POSTBOOT)? /nils. -- nils toedtmann department for technical paranoia marcant internet-services gmbh <http://www.marcant.net/> |
From: Sander K. <ro...@ro...> - 2004-02-11 20:32:41
|
Hi, Could there be something wrong with the lids CAP_SETUID/CAP_SETGID checking in lids 1.1.2p1? If got the following rules for su: --- $LIDS -A -s /bin/su -o /etc/shadow -j READONLY $LIDS -A -s /bin/su -o CAP_SETUID -j GRANT $LIDS -A -s /bin/su -o CAP_SETGID -j GRANT --- But when I try to su it tells me that unix_chpwd needs access /etc/passwd. I grant it access (it has never needed it before though) and the I see that su needs CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH. (Never seen this before either) So, now my rulebase looks like this: --- $LIDS -A -s /bin/su -o /etc/shadow -j READONLY $LIDS -A -s /bin/su -o CAP_SETUID -j GRANT $LIDS -A -s /bin/su -o CAP_SETGID -j GRANT $LIDS -A -s /bin/su -o CAP_DAC_OVERRIDE -j GRANT $LIDS -A -s /bin/su -o CAP_DAC_READ_SEARCH -j GRANT $LIDS -A -s /sbin/unix_chkpwd -o /etc/shadow -j READONLY --- But, now when I try to use su it tells me that bash tries to setuid --- LIDS: bash (dev 3:2 inode 64581) pid 1736 ppid 1695 uid/gid (1000/1000) on (pts) : violated CAP_SETUID --- The ppid of 1695 is my parent bash shell. Even adding -i -1 to the CAP_SETUID and CAP_SETGID sections of su won't fix the problem. But when I reboot in lids-1.1.2-2.4.21 with my first rulebase su just works. Correct me if I'm wrong but bash doesn't perform the actual setuid or setgid action right? I thought that su does the actual setuid/setgid action. Or am I totaly wrong? Greets, Sander Klein --- BOFH excuse #333: A plumber is needed, the network drain is clogged |
From: Yusuf W. P. <yw...@us...> - 2004-02-11 12:36:42
|
Hi, > Actually, when I try to grant "CAP_INIT_KILL" capability on subject, > it says > "lidsconf: special type must be one of CAP_XXX_XXX. use lidsadm -h > for details." > and no description about CAP_INIT_KILL on lidsadm help. > I think this is a bug. As you pointed out, CAP_INIT_KILL has been replaced with CAP_KILL_PROTECTED since 1.1.1pre5. > Usually I've replaced CAP_INIT_KILL to CAP_KILL_PROTECTED and added > CAP_PROTECTED on /etc/lids/lids.cap manually, but why there is still > CAP_INIT_KILL on lidstools example file? > Yes, it is CAP_KILL_PROTECTED that should be in lids.cap. This should be fixed :-). And, you don't need to add CAP_PROTECTED in lids.cap. You can grant CAP_PROTECTED to a program/process to prevent the process from being killed, and you can grant CAP_KILL_PROTECTED to a program/process to enable this program/process to kill a process with CAP_PROTECTED. Thanks for the report. Regards, purna -- Yusuf Wilajati Purna <yw...@us...> 1024D/7354A078 Key fingerprint = 7F4F 8433 C65F 3502 BC93 F529 BFDE F939 7354 A078 |
From: Kazuki O. <om...@ho...> - 2004-02-10 02:02:20
|
Dear, Lists, I downloaded lids-2.0.4pre1-2.6.2 and have some questions on lids.cap example file in lidstools-0.5.2. On lids-1.1.2p1-2.4.24, ChangeLogs says "from 1.1.1pre5, added CAP_PROTECTED and renamed CAP_INIT_KILL to CAP_KILL_PROTECTED". Actually, when I try to grant "CAP_INIT_KILL" capability on subject, it says "lidsconf: special type must be one of CAP_XXX_XXX. use lidsadm -h for details." and no description about CAP_INIT_KILL on lidsadm help. Usually I've replaced CAP_INIT_KILL to CAP_KILL_PROTECTED and added CAP_PROTECTED on /etc/lids/lids.cap manually, but why there is still CAP_INIT_KILL on lidstools example file? Regards, -- Kazuki Omo:om...@ho... |
From: Yusuf W. P. <yw...@us...> - 2004-02-09 14:43:07
|
Surinder Kumar wrote: > I am unable to access LIDS documentation pages e.g. > http://www.lids.org/lids-faq/lids-faq.html due to permission problems. > Can someone help me ? Is there any other place where I can find > documentation on LIDS ? > Thx in advance. > There are some permission problems. We are trying to fixing them. For a while, please try a lids website mirror, http://www.au.lids.org/, for example. Thank you, purna -- Yusuf Wilajati Purna <yw...@us...> 1024D/7354A078 Key fingerprint = 7F4F 8433 C65F 3502 BC93 F529 BFDE F939 7354 A078 |
From: Surinder K. <kum...@in...> - 2004-02-09 13:51:24
|
I am unable to access LIDS documentation pages e.g. http://www.lids.org/lids-faq/lids-faq.html due to permission problems. Can someone help me ? Is there any other place where I can find documentation on LIDS ? Thx in advance. Regards Surinder Kumar |
From: Huagang X. <xi...@ww...> - 2004-02-09 06:11:32
|
Hello, This version, * Merge a patch from Yusuf, - Fixed a possible memory leak in lids_alert(). - Forward ported the original CAP_SYS_RAWIO in LIDS 1.X to LIDS 2.X. Disabling CAP_SYS_RAWIO prevents direct access to raw/block devices as well. - Fixed a capability file loading bug when entering each LIDS state. - Modified kernel messages to be more informative when entering each LIDS state. - Modified lids_flags. ACL_DISCOVERY status can be checked using "lidsadm -V". * change some of the default capability setting in lidstools - enable most the capability by default Enjoy it. Huagang --=20 LIDS secure linux kernel http://www.lids.org/ 1024D/B6EFB028 4731 2BF7 7735 4DBD 3771 4E24 B53B B60A B6EF B028 |