-
Notifications
You must be signed in to change notification settings - Fork 9
Access controls
This is an access control matrix I made, so I could get a better view of how different mechanisms affects different operations. It's still a work-in-progress.
| Control | Affects root? | login | logoutd | su | sudo | OpenSSH | xscreensaver |
|---|---|---|---|---|---|---|---|
| NOLOGINS_FILE | No | Yes | Yes | No | |||
| Password locked | Yes | Yes | |||||
| Password expired | No*** | No | |||||
| /sbin/nologin as shell | Yes | Yes | No** | ||||
| /etc/porttime | Yes | Yes* | Yes | Yes | No | No | No |
| /etc/limits: L | No | Yes | Yes | No | |||
| Failure limit exceeded (faillog) | Yes | Yes | No | No | |||
| /etc/securetty | Yes | Yes | No | No | No | No | No |
| /etc/login.access | Yes | Yes | No | ||||
| /etc/suauth | No | N/A | N/A | Yes | N/A | N/A | N/A |
| Account expired | Yes | Yes | |||||
| Missing home dir | No |
| * | If PORTTIME_CHECKS_ENAB in /etc/login.defs |
| ** | Users can still connect and authenticate with **ssh -N** and do malicious stuff like tunnel traffic through the server, or connect to other services through the server's loopback address |
| *** | With PubkeyAuthentication |
| Service | Message to user (if any) | Log message | Control |
|---|---|---|---|
| login | Too many logins. |
|
/etc/limits |
| login | Invalid login time | invalid login time for 'user' on '/dev/tty1' | /etc/porttime |
| login | LOGIN 'user' REFUSED on '/dev/tty1' | /etc/login.access | |
| login | Your password is inactive. Contact the system administrator. | Password expired |
This is how shadow suite is being built in Slackware 14.1:
shadow will be compiled with the following features:
auditing support: no
CrackLib support: no
PAM support: no
SELinux support: no
ACL support: yes
Extended Attributes support: yes
tcb support (incomplete): no
shadow group support: yes
S/Key support: no
SHA passwords encryption: yes
nscd support: yes
faillog is mysterious. You can set the defaults for non-existent UIDs with --all --user RANGE, but when you use useradd without the --no-log-init parameter, it resets the values for that UID to zero. Also the man page says that the created user is not added to the lastlog database, which might cause problems.
I think this whole thing in shadow suite is somehow inconsistent. This is what is said on the src/useradd.c file:
/*
* Initialize faillog and lastlog entries for this UID in case
* it belongs to a previously deleted user. We do it only if
* no user with this UID exists yet (entries for shared UIDs
* are left unchanged). --marekm
*/
/* local, no need for xgetpwuid */
if ((!lflg) && (getpwuid (user_id) == NULL)) {
faillog_reset (user_id);
lastlog_reset (user_id);
}
That's kinda odd, since useradd doesn't seem to do UID 'recycling', which is also stated in the adduser script:
# This setting enables the 'recycling' of older unused UIDs.
# When you userdel a user, it removes it from passwd and shadow but it will
# never get used again unless you specify it expliticly -- useradd (appears to) just
# look at the last line in passwd and increment the uid. I like the idea of
# recycling uids but you may have very good reasons not to (old forgotten
# confidential files still on the system could then be owned by this new user).
# We'll set this to no because this is what the original adduser shell script
# did and it's what users expect.
recycleuids=no
...And if it did, that would be a grande bad idea(tm).
There is also some bug/feature in faillog, when running it against zero sized db:
# ls -l /var/log/faillog
-rw-r--r-- 1 root root 0 Oct 5 00:03 /var/log/faillog
# faillog -l 300 -m 1 -u root
# faillog -u root
Login Failures Maximum Latest On
root 0 1 01/01/70 02:00:00 +0200
# faillog -l 300 -m 1 -u root
# faillog -u root
Login Failures Maximum Latest On
root 0 1 01/01/70 02:00:00 +0200 [300s lock]
For some reason, you need to specify the rules differently for logoutd and login:
- login requires absolute path with /dev/ prefix
- logoutd without
You can apparenly create a custom message for logoutd (from src/logoutd.c):
#ifndef HUP_MESG_FILE
#define HUP_MESG_FILE "/etc/logoutd.mesg"
#endif
- xdm
- Examples of different log messages