Sshh… and See Linux – authorized keys

ssh-copy-id doesn’t really work ootb with root user and SeLinux enabled.

Tailing the audit.log we’ll see that sshd – being in the ssh_t context – can’t read() the authorized_keys file – which is in

type=AVC msg=audit(1354703208.714:285): avc: denied { read } for pid=9759 comm="sshd"
name="authorized_keys" dev=dm-0 ino=17461

Checking with ls -Z we found that DAC permissions are ok, but the MAC are not:
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 authorized_keys

Despite messing with audit2allow to modify policies, we just need to run:

# restorecon -v -R .ssh/

This will search in the already provided selinux policies and set the right fcontext for the given path.

To list the involved policies:

#semanage fcontext -l | grep ssh

Unable to login as a user on a 4.1 ESX server

By default, a 4.1 ESX server denies logins of standard users, while root access via ssh is enabled without problems. This has changed from 4.0 and has caused many headaches for those systems upgraded to 4.1.

Obviously, this is a security problem and something we do not want.

To protect your ESX server and restore standard user access, you have to replace the system-auth config file. In this event, an older 4.0 version of the file will do the job. Always remember to make a backup just in case something goes wrong (if it does and you don’t’re screwed, so pay attention)

#vi /etc/pam.d/system-auth

paste this content inside the file:

# Autogenerated by esxcfg-auth

account    required    /lib/security/$ISA/

auth          required    /lib/security/$ISA/
auth          sufficient           /lib/security/$ISA/        likeauth nullok
auth          required    /lib/security/$ISA/

password    requisite try_first_pass retry=3 dcredit=-1 ucredit=0  ocredit=-1 lcredit=-1 minlen=8
password           required    /lib/security/$ISA/            retry=3
password           sufficient           /lib/security/$ISA/        nullok use_authtok md5 shadow
password           required    /lib/security/$ISA/

session      required    /lib/security/$ISA/
session      required    /lib/security/$ISA/

You can now login to your 4.1 ESX server using standard login. Now go and harden your server!

Serving ACL on Samba

I was playing a bit with samba, and I guess if I was able to serve files using access control list (aka ACL).

Posix ACL

While standard unix permissions allow one owner, one group and everybody – with some tweekings like directory sticky bit – new filesystems like ext3 and xfs gave us a bit control more.

They implement POSIX ACL. This is an old but widely used standard. To enable ACL we should firstly ask to the filesystem to set them up.

#mount /home -o remouont,acl,user_xattr

Then we can start playing: create a file and get its unix permission.
First of all let’s use umask to disable other user access to newly created files

# umask 077
# touch  /home/rpolli/sample_acl.txt
# ls -la  /home/rpolli/sample_acl.txt
 -rw------- 1 rpolli rpolli 0 2011-10-13 17:28 /home/rpolli/sample_acl.txt

Thanks to umask nobody but the owner can access this file.
Then we get its acl with #getfacl and check that everything matches!

# getfacl  /home/rpolli/sample_acl.txt
getfacl: Removing leading '/' from absolute path names
# file:  home/rpolli/sample_acl.txt
# owner: rpolli
# group: rpolli

Now let’s give write permission to this file to the caldavd user, which is not in the rpolli group

#setfacl -m u:caldavd:rw /home/rpolli/sample_acl.txt
#getfacl /home/rpolli/sample_acl.txt
getfacl: Removing leading '/' from absolute path names
# file: home/rpolli/sample_acl.txt
# owner: rpolli
# group: rpolli

So, to our common sense, file permissions are no more 600, as there’s somebody that can read it. Let’s look at the ls output

# ls -l /home/rpolli/sample_acl.txt
-rw-rw----+ 1 rpolli rpolli 0 2011-10-13 17:35 sample_acl.txt

There’s an indicator that somebody can read it, and a “+” flag at the end of unix permissions, stating that this file uses some more security mechanism.

You can exclaim now “Very impressive, Kowalski, but…can it fly?”.

rpolli# sudo su - caldavd
caldavd$ ls /home/rpolli/
ls: cannot open directory /home/rpolli/: Permission denied
caldavd$ ls /home/rpolli/sample_acl.txt -la
-rw-rw----+ 1 rpolli rpolli 0 2011-10-13 17:35 /home/rpolli/sample_acl.txt

and finally

caldavd$ echo pippo>/home/rpolli/sample_acl.txt
caldavd$ cat /home/rpolli/sample_acl.txt

Serving it with samba

To serve a directory with Samba 3 we just have to add the following stanza to the smb.conf

   comment = Ioggstream Samba share
   read only = no
   path = /home/share/
   guest ok = no
   nt acl support = yes

First of all we need to share a folder. Disabling guests is optional, but to change ACL you have to authenticate: so no guests this time!
The compulsory statement is to allow “nt acl”.

Once we restart samba, we can browse our folder using a Windows Vista. Strangely enough the WindowsXP file browser doesn’t detect ACL on my server.

So open your client and go to \\\ (that’s my samba ip, use yours :P) and insert your credential.
Right click on your folder and select “Security” (Protezione in Italiano) and..voilà! You will be able to see and edit your files .permission!

Tales From The BCrypt

We always save sensitive info on our PC. When an encryptedfs is not usable or we have to put data on a shared filesystem – we can protect ourself a bit better than a locked zipfile with bcrypt.


# bcrypt serverpassword.txt
# bcrypt -o serverpassword.txt.bfe # print file to stdout
# bcrypt serverpassword.txt.bfe # restore serverpassword.txt