9.23.10.Polyinstantiation PDF

7/30/2019 9.23.10.Polyinstantiation PDF

1/9

Improve security with polyinstantiationUsing a Pluggable Authentication Module to protect private data

Skill Level: Introductory

Robb R. Romans ([email protected])Software EngineerIBM

26 Feb 2008

If you're concerned about protecting world-writeable shared directories such as /tmpor /var/tmp from abuse, a Linux Pluggable Authentication Module (PAM) can helpyou. The pam_namespace module creates a separate namespace for users on yoursystem when they login. This separation is enforced by the Linux operating systemso that users are protected from several types of security attacks. This article forLinux system administrators lays out the steps to enable namespaces with PAM.

To improve security, it's often wise to use more than one method of protection (alsocalled "defense in depth"). That way, if one method is breached, another methodremains operational and prevents further intrusion. This article describes a way toadd another layer of depth to your security strategy: using PAM to polyinstantiateworld-writeable shared directories. This means that a new instance of a directory,such as /tmp, is created for each user.

Polyinstantiation of world-writeable directories prevents the following types ofattacks, as Russell Coker illustrates in "Polyinstantiation of directories in an SELinuxsystem" (see Resources):

Race-condition attacks with symbolic links

Exposing a file name considered secret information or useful to anattacker

Attacks by one user on another user

Improve security with polyinstantiation Copyright IBM Corporation 1994, 2007. All rights reserved. Page 1 of 9
mailto:[email protected]://www.ibm.com/legal/copytrade.shtmlhttp://www.ibm.com/legal/copytrade.shtmlmailto:[email protected]


2/9

Attacks by a user on a daemon

Attacks by a non-root daemon on a user

However, polyinstantiation does NOT prevent these types of attacks:

Attacks by a root daemon on a user

Attacks by root (account or escalated privilege) on any user

How PAM and polyinstantiation work

PAM creates a polyinstantiated private /tmp directory at login time within a systeminstance directory; this redirection is transparent to the user logging in. The usersees a standard /tmp directory and can read and write to it normally. That usercannotsee any other user's (including root's) /tmp space or the actual /tmp file

system.

Polyinstantiated user directories are neither hidden nor protected from the root user.If you are interested in that level of protection, SELinux can help. The configurationexamples provided here should work whether or not you have enabled SELinux. SeeResources for links to more information about using SELinux.

Enabling polyinstantiation

This section shows you how to enable polyinstantiation of /tmp and /var/tmp

directories for users on your system. It also describes the optional configurationsteps necessary to accommodate X Windows or a graphical display manager. I usedRed Hat Enterprise Linux 5.1 (RHEL 5.1) to write this article, but you can try theprocedures described here on any Linux distribution that includes thepam_namespace module.

First we'll edit namespace.conf.

Edit namespace.conf

The first file you'll edit is /etc/security/namespace.conf, which controls the

pam_namespace module. In this file, list the directories that you want PAM topolyinstantiate on login. Some example directories are listed in the file included withPAM and are commented out. Type man namespace.conf to view acomprehensive manual page. The syntax for each line in this file is polydirinstance_prefix method list_of_uids.

Briefly, here is what these variables represent:

developerWorks ibm.com/developerWorks

Improve security with polyinstantiationPage 2 of 9 Copyright IBM Corporation 1994, 2007. All rights reserved.
http://www.ibm.com/legal/copytrade.shtmlhttp://www.ibm.com/legal/copytrade.shtml


3/9

polydir is the absolute pathname of the directory to polyinstantiate.

instance_prefix is the base directory of the new polyinstantiated userdirectory.

method can be user, level, or context.

list_of_uids is a list of user names for which PAM will NOTpolyinstantiate their directories.

In this example, you are not using SELinux, so you must specify the userfor themethod. You can use the variables $USER and $HOME within the configuration file ifneeded.

Listing 1 creates a private /tmp and /var/tmp namespace instance for each user onthe system except root and adm.

Listing 1. /etc/security/namespace.conf

#$HOME $HOME/$USER.inst/ user root,adm/tmp /tmp/tmp-inst/ user root,adm/var/tmp /var/tmp/tmp-inst/ user root,adm

The /tmp and /var/tmp directories do not have to be located on separate filesystems;they can be directories on a single file system. The directories /tmp/tmp-inst and

/var/tmp/tmp-inst must be created once, manually, with file mode 000 beforepolyinstantiation will work. If the directories are not created correctly, logins will fail.

Type the following commands while logged in as the root user to create thesedirectories:

# mkdir /tmp/tmp-inst# mkdir /var/tmp/tmp-inst# chown root:root /tmp/tmp-inst /var/tmp/tmp-inst# chmod 000 /tmp/tmp-inst /var/tmp/tmp-inst

Modify PAM

Next, modify the PAM configuration files to add the pam_namspace.so module tothe list of required modules to run on login from the console and from the secure

shell. Edit the /etc/pam.d/login and /etc/pam.d/sshd files to place thepam_namespace.so module on the last line in each file. Listing 2 and Listing 3 showwhere to add the module in /etc/pam.d/login and /etc/pam.d/sshd, respectively:

Listing 2. Adding the PAM module to /etc/pam.d/login

#%PAM-1.0

ibm.com/developerWorks developerWorks



4/9

auth [user_unknown=ignore success=ok ignore=ignore default=bad]pam_securetty.soauth include system-authaccount required pam_nologin.soaccount include system-authpassword include system-auth# pam_selinux.so close should be the first session rulesession required pam_selinux.so closesession include system-authsession required pam_loginuid.so#session optional pam_console.so# pam_selinux.so open should only be followed by sessions to beexecuted in the

user contextsession required pam_selinux.so opensession optional pam_keyinit.so force revoke# Polyinstantiation:session required pam_namespace.so

Listing 3. Adding the PAM module to /etc/pam.d/sshd

#%PAM-1.0auth include system-authaccount required pam_nologin.soaccount include system-authpassword include system-authsession optional pam_keyinit.so force revokesession include system-authsession required pam_loginuid.so# Polyinstantiation:session required pam_namespace.so

Enable X Windows

Because of the way the X Window system uses temporary directories, graphical

sessions might fail for users with a polyinstantiated /tmp directory. PAM executes thecontents of the /etc/security/namespace.init file during login if pam_namespace isspecified in any files in the /etc/pam.d directory. Use this file to make the necessarychanges to allow X Windows to start correctly. A default namespace.init file isincluded with RHEL 5.1, but I have modified it slightly in Listing 4.

Listing 4. Enables X Windows to start correctly

if [ $1 = /tmp ]; thenif [ ! -f /.tmp/.X11-unix ]; then

mkdir -p /.tmp/.X11-unix

fimount --bind /tmp/.X11-unix /.tmp/.X11-unix[ -f /tmp/.X0-lock ] && cp -fp -- /tmp/.X0-lock

"$2/.X0-lock"mkdir -p -- "$2/.X11-unix"ln -fs -- /.tmp/.X11-unix/X0 "$2/.X11-unix/X0"

fiexit 0

Configure the Gnome Display Manager




5/9

Configuring the Gnome Display Manager (GDM) is easy. Add thepam_namespace.so module to the list of required modules in the /etc/pam.d/gdmfile. Listing 5 shows an example.

Listing 5. Configuring the Gnome Display Manager

#%PAM-1.0auth required pam_env.soauth include system-authaccount required pam_nologin.soaccount include system-authpassword include system-authsession optional pam_keyinit.so force revokesession include system-authsession required pam_loginuid.sosession optional pam_console.so# Polyinstantiation:session required pam_namespace.so

If you are using the X Display Manager (XDM) instead of GDM, configure the/etc/pam.d/xdm file in the same way. Now both the graphical logins and thecommand-line logins result in polyinstantiated /tmp and /var/tmp directories.

Finishing up: Allowing for errors

If PAM encounters an error when running the pam_namespace.so module, the loginsession for the user trying to login will fail. Until you are sure that things areoperating as you intend, allow logins to continue in case of an error. To enable theignore_config_error option, add it to the end of the line in each file in the

/etc/pam.d directory where you added the pam_namspace.so module.

For example, in the /etc/pam.d/login file, edit the line containing thepam_namspace.so module as follows:

session required pam_namespace.so ignore_config_error

For a complete list of options, see the pam_namespace manual page. After a userlogs in, check the file /var/log/secure for errors. When you are satisfied that yourPAM configuration is correct, remove the ignore_config_error option.

Finishing up: Results

After you have modified and saved the configuration files, choose a non-root useraccount to test and log out all instances of that user from the system. Log in againand a new polyinstantiated /tmp and /var/tmp directory will be created for that user.Listing 6 and Listing 7 show what this looks like on the system and from the user'sperspective. In this example, the username is robb.




6/9

Listing 6. Console session from the user's perspective

[robb@testbox tmp]$ cd /tmp[robb@testbox tmp]$ touch foo[robb@testbox tmp]$ lsfoo

Listing 7. Console session on the system as root

[root@testbox ~]# ls /tmptmp-inst[root@testbox ~]# ls /tmp/tmp-inst/robb[root@testbox ~]# ls /tmp/tmp-inst/robb/foo

Because of polyinstantiation, robb's /tmp directory is isolated in a separate directoryunder /tmp/tmp-inst/, and robb cannot see the system /tmp directory or any fileswithin it.

Conclusion

Share this...

Diggthisstory

Posttodel.icio.us

Slashdotit!

While polyinstantiation will not prevent every type of attack, it is a useful addition toyour security toolkit that is straightforward to configure. Feel free to experiment bypolyinstantiating other directories such as /home. With the ignore_config_erroroption, mistakes are not fatal, but don't forget to remove that option after you havefinished testing your configuration.


http://www.ibm.com/legal/copytrade.shtmlhttp://www.ibm.com/legal/copytrade.shtmlhttp://location.href%3D%27http//slashdot.org/bookmark.pl?url=%27+encodeURIComponent(location.href)+%27&title=%27+encodeURIComponent(document.title)http://location.href%3D%27http//slashdot.org/bookmark.pl?url=%27+encodeURIComponent(location.href)+%27&title=%27+encodeURIComponent(document.title)http://location.href%3D%27http//slashdot.org/bookmark.pl?url=%27+encodeURIComponent(location.href)+%27&title=%27+encodeURIComponent(document.title)http://del.icio.us/posthttp://del.icio.us/posthttp://del.icio.us/posthttp://del.icio.us/posthttp://digg.com/submit?phase=2&url=http://www.ibm.com/developerworks/linux/library/l-polyinstantiation/http://digg.com/submit?phase=2&url=http://www.ibm.com/developerworks/linux/library/l-polyinstantiation/http://digg.com/submit?phase=2&url=http://www.ibm.com/developerworks/linux/library/l-polyinstantiation/http://digg.com/submit?phase=2&url=http://www.ibm.com/developerworks/linux/library/l-polyinstantiation/


7/9




8/9

Resources

Learn

"Polyinstantiation of directories in an SE Linux system," by Russell Coker,

describes the problems related to shared directories such as /tmp and /var/tmp,as well as problems related to having multiple SELinux security contexts usedfor accessing a single home directory.

"Applying mount namespaces" (developerWorks, September 2007) shows youhow to build your own filesystem setup without being constrained by thesysadmin-dictated structure; you'll discover some practical applications foradvanced Linux mounts features.

"Secure programmer: Minimizing privileges" (developerWorks, May 2004)discusses how to minimize privileges by minimizing the privileged modules, theprivileges granted, and the time the privileges are active.

"What's new in SELinux for Red Hat Enterprise Linux 5" (Red Hat Magazine,May 2007) is an exhaustive overview of SELinux for RHEL5.

This posting on shared subtrees (LWN.net, November 2005) answers thequestion "A process wants to clone its own namespace, but still wants to accessthe CD that got mounted recently" with a detailed list of features, semantics,mount state descriptions, and implementation issues.

"SELinux from scratch" (developerWorks, May 2006) shows you how to build anSELinux-ready Gentoo system.

"Role-based access control in SELinux" (developerWorks, February 2008)

shows you how to work with RBAC in SELinux, and how the SELinux policy,kernel, and userspace work together to enforce the RBAC and tie users to atype enforcement policy.

The following resources can help you get a handle on SELinux: SELinux Historyand Project FAQ, SELinux unofficial technical FAQ, and Configuring theSELinux Policy.

Learn more about Security-Enhanced Linux at the NSA Web site.

In the developerWorks Linux zone, find more resources for Linux developers,and scan our most popular articles and tutorials.

See all Linux tips and Linux tutorials on developerWorks.

Stay current with developerWorks technical events and Webcasts.

Get products and technologies

Get on the SELinux developers mailing list.


http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.htmlhttp://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.htmlhttp://www.ibm.com/developerworks/linux/library/l-mount-namespaces.htmlhttp://www.ibm.com/developerworks/linux/library/l-mount-namespaces.htmlhttp://www.ibm.com/developerworks/linux/library/l-sppriv.htmlhttp://www.ibm.com/developerworks/linux/library/l-sppriv.htmlhttp://www.redhatmagazine.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/http://www.redhatmagazine.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/http://lwn.net/Articles/159092/http://www.ibm.com/developerworks/linux/library/l-selinux.htmlhttp://www.ibm.com/developerworks/linux/library/l-selinux.htmlhttp://www.ibm.com/developerworks/linux/library/l-rbac-selinux/http://www.ibm.com/developerworks/linux/library/l-rbac-selinux/http://www.nsa.gov/selinux/info/faq.cfmhttp://www.nsa.gov/selinux/info/faq.cfmhttp://www.crypt.gen.nz/selinux/faq.htmlhttp://www.nsa.gov/selinux/papers/policy2-abs.cfmhttp://www.nsa.gov/selinux/papers/policy2-abs.cfmhttp://www.nsa.gov/selinux/http://www.ibm.com/developerworks/linux/http://www.ibm.com/developerworks/linux/library/l-top-10.htmlhttp://www.ibm.com/developerworks/views/linux/libraryview.jsp?topic_by=All+topics+and+related+products&sort_order=desc&lcl_sort_order=desc&search_by=linux+tip%3A&search_flag=true&type_by=All+Types&show_abstract=true&start_no=1&sort_by=Date&end_no=100&show_all=falsehttp://www.ibm.com/developerworks/views/linux/libraryview.jsp?topic_by=All+topics+and+related+products&sort_order=desc&lcl_sort_order=desc&search_by=&search_flag=&type_by=Tutorials&show_abstract=true&sort_by=Date&end_no=100&show_all=falsehttp://www.ibm.com/developerworks/offers/techbriefings/http://www.nsa.gov/selinux/info/list.cfmhttp://www.ibm.com/legal/copytrade.shtmlhttp://www.ibm.com/legal/copytrade.shtmlhttp://www.nsa.gov/selinux/info/list.cfmhttp://www.ibm.com/developerworks/offers/techbriefings/http://www.ibm.com/developerworks/views/linux/libraryview.jsp?topic_by=All+topics+and+related+products&sort_order=desc&lcl_sort_order=desc&search_by=&search_flag=&type_by=Tutorials&show_abstract=true&sort_by=Date&end_no=100&show_all=falsehttp://www.ibm.com/developerworks/views/linux/libraryview.jsp?topic_by=All+topics+and+related+products&sort_order=desc&lcl_sort_order=desc&search_by=linux+tip%3A&search_flag=true&type_by=All+Types&show_abstract=true&start_no=1&sort_by=Date&end_no=100&show_all=falsehttp://www.ibm.com/developerworks/linux/library/l-top-10.htmlhttp://www.ibm.com/developerworks/linux/http://www.nsa.gov/selinux/http://www.nsa.gov/selinux/papers/policy2-abs.cfmhttp://www.nsa.gov/selinux/papers/policy2-abs.cfmhttp://www.crypt.gen.nz/selinux/faq.htmlhttp://www.nsa.gov/selinux/info/faq.cfmhttp://www.nsa.gov/selinux/info/faq.cfmhttp://www.ibm.com/developerworks/linux/library/l-rbac-selinux/http://www.ibm.com/developerworks/linux/library/l-selinux.htmlhttp://lwn.net/Articles/159092/http://www.redhatmagazine.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/http://www.ibm.com/developerworks/linux/library/l-sppriv.htmlhttp://www.ibm.com/developerworks/linux/library/l-mount-namespaces.htmlhttp://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html


9/9

Order the SEK for Linux, a two-DVD set containing the latest IBM trial softwarefor Linux from DB2, Lotus, Rational, Tivoli, and WebSphere.

With IBM trial software, available for download directly from developerWorks,build your next development project on Linux.

Discuss

Check out a journal on SELinux by Dan Walsh, the author of "What's new inSELinux for Red Hat Enterprise Linux 5" (Red Hat Magazine, May 2007).

Get involved in the developerWorks community through blogs, forums,podcasts, and community topics in our new developerWorks spaces.

About the author

Robb R. RomansRobb Romans is a writer with the User Technologies group at IBM, which focuses onLinux, Cell Broadband Engine Architecture, and open source software. Before hiscurrent work with the Information Development team, Robb was a developer workingon Linux security and embedded Linux.

Trademarks

DB2, Lotus, Rational, Tivoli, and WebSphere are trademarks of IBM Corporation inthe United States, other countries, or both.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.


http://www.ibm.com/developerworks/offers/sek/http://www.ibm.com/developerworks/downloads/http://danwalsh.livejournal.com/http://www.redhatmagazine.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/http://www.redhatmagazine.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/http://www.redhatmagazine.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/http://www.ibm.com/developerworks/communityhttp://www.ibm.com/developerworks/spaces/http://www.ibm.com/legal/copytrade.shtmlhttp://www.ibm.com/legal/copytrade.shtmlhttp://www.ibm.com/developerworks/spaces/http://www.ibm.com/developerworks/communityhttp://www.redhatmagazine.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/http://www.redhatmagazine.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/http://danwalsh.livejournal.com/http://www.ibm.com/developerworks/downloads/http://www.ibm.com/developerworks/offers/sek/

9.23.10.Polyinstantiation PDF

Documents

Transcript of 9.23.10.Polyinstantiation PDF