Author

Christopher Marshall (christopherlmarshall@yahoo.com)

Raw Notes on LIDS

# initial make of package
export KERNEL_DIR=/usr/local/src/linux-2.4.19
./configure
make VIEW=1
su
make install

cd exmaples
cp lids.conf lids.cap lids.net /etc/lids
lidsconf -P
lidsconf -U

# configuration switches to set
# you need to set this one so you can switch LIDS off
# I kept wondering why adding the "security=0" line to the lilo prompt wasn't working.
Allow switching LIDS protections n -> y
allow reloading config file n-> y


# you turn off lids by setting lids=0 in the kernel command line
append = "lids=0"

# setuid observations:
# It seems that if you want a setuid root program to work, you need to explicitly grant
# setuid ability to the program using lidsconf.  I noticed this when getting ping to work.


lidsconf -A -s /bin/ping -o CAP_SETUID -i 0 -j GRANT
lidsconf -A -s /bin/ping -o CAP_NET_RAW -i 0 -j GRANT

# I am struggleing with the question of whether lids will allow a process rights it wouldn't have
# without lids.  Can ping work without CAP_SETUID, if I run it as a normal user and grant is NET_RAW?
# I think the thing to do here is to test ping and watch the error logs as I do it.
# What if I have a chmod 0777 file, and I execute it and grant it CAP_SETUID?  Will it be able
# to setuid to root?  Or do I have to make it root owned and chmod 4777 before it will work?
# If I don't grant CAP_SETUID to the file, but it is owned by root and chmod 4777, will it work?
# I should try these cases and see what happens.

# common pitfalls:
   # symbolic links from /usr/sbin/somescript to a non-protected script
   # /sbin/ssh-vpn -> /home/chris/sbin/ssh-vpn
   # attempting to grant rights to /sbin/ssh-vpn won't work because /home/chris/sbin/ssh-vpn isn't protected.

   # you can't have more than one lids free session at a time!
   # if you need to do that, you should disable lids globally.

   # don't grant rights to pppd, grant them to a script that invokes pppd and which invokes it in a way that can't be abused. Also, only use the level of inheritance you actually need.

hopeless_linux: RawNotes/lids (last modified 2007-07-01 16:01:00)