[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: /sbin/reboot and secmodel
Emmanuel Vadot wrote:
After playing a little bit with secmodel, I've tried to authorized a
user with a specific uid to reboot the system.
It didn't work as I expected and the secmodel callback isn't called at all.
After looking the code of reboot and talking about this with elad@, I
see that two things just allow the root user to call /sbin/reboot :
128 if (geteuid())
129 errx(1, "%s", strerror(EPERM));
188 if (kill(1, SIGTSTP) == -1)
189 err(1, "SIGTSTP init");
I think that the check of the uid can be removed since we trust the
But for the signal SIGTSTP send to the init, I don't know, and honestly
I don't know what init does catching this signal :)
That one's a bit tricky. The reboot program tries to "gracefully" reboot
the system by doing some things it believes it's doing as root. Since at
the moment the KAUTH_SYSTEM_REBOOT action applies only to the very
reboot(2) syscall, it "breaks" somewhere in the middle when trying to
stop init (and later on signal all other processes).
While it may be possible to solve it with a lot of special casing, I
wonder if we shouldn't just move a lot of that logic to the kernel, and
add a RB_GRACEFUL to reboot(2), telling it "do all the things you used
to do in userland".
Is anyone seeing possible problems taking this route? any other ideas on
how to address this?
Main Index |
Thread Index |