#6888 ipa-custodia must not require DAC_OVERRIDE
Opened 2 years ago by cheimes. Modified 10 months ago

This problem blocks SELinux confinement of ipa-custodia. Dan Walsh explains DAC_OVERRIDE in his blog posting http://danwalsh.livejournal.com/69478.html . TL;DR it allows root to access files although user/group ownership and permission bits say otherwise.

ipa-custodia runs as root. The process or some subprocesses (pki, certutil) are accessing files that are not readable by root. ipa-custodia wants to read:

# ls -lahZ /var/lib/ipa/ra-agent.pem /var/lib/ipa/ra-agent.key /etc/pki/pki-tomcat/alias /etc/pki/pki-tomcat/password.conf
-rw-rw----. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_etc_rw_t:s0   77 Apr 20 17:13 /etc/pki/pki-tomcat/password.conf
-r--r-----. 1 root    ipaapi  system_u:object_r:ipa_var_lib_t:s0       1,7K Apr 20 16:10 /var/lib/ipa/ra-agent.key
-r--r-----. 1 root    ipaapi  system_u:object_r:ipa_var_lib_t:s0       1,4K Apr 20 16:10 /var/lib/ipa/ra-agent.pem

total 116K
drwxrwx---. 2 pkiuser pkiuser system_u:object_r:pki_tomcat_cert_t:s0   4,0K Apr 20 17:13 .
drwxrwx---. 6 pkiuser pkiuser system_u:object_r:pki_tomcat_etc_rw_t:s0 4,0K Apr 20 22:56 ..
-rw-------. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_cert_t:s0    64K Apr 20 22:56 cert8.db
-rw-------. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_cert_t:s0    36K Apr 20 22:56 key3.db
-r--------. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_cert_t:s0     42 Apr 20 16:10 pwdfile.txt
-rw-------. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_cert_t:s0    16K Apr 20 16:09 secmod.db

I see two possible solutions:

1) chgrp root and chmod g+r the files and directories /etc/pki/pki-tomcat/alias /etc/pki/pki-tomcat/alias/* /etc/pki/pki-tomcat/password.conf
2) introduce an ipa-custodia user with groups ipapi, pkiuser, chmod g+r all files and run ipa-custodia as that user.

Option (2) is more secure as we would drop a privileged service and replace it with a more confined service. On the other hand it's also more work. ipa-custodia uses LDAPI to authenticate and bind uid=0,gid=0 via LDAPI auto-bind. It would be necessary to replace it with different bindings, e.g. an ipa-custodia service keytab or static allocated uid/gid.

Metadata Update from @cheimes:
- Custom field blocking adjusted to 6788
- Issue marked as blocking: #6788

2 years ago

The changes listed in (1) are not enough. It's also necessary to change /etc/pki/pki-tomcat to group root and allow g+x. The alias directory and *.db must be group read/writeable because ipa-custodia also writes to the files.

The script https://github.com/latchset/ipa-custodia-selinux/blob/master/fix_perm.sh tends to all permissions and SELinux context. I'm able to run ipa-replica-install, ipa-ca-install, ipa-kra-install and ipa ca-add without AVC.

More details about ipa-custodia policy are in issue #6788 (in later comments)

Option (2) has an additional gotcha. ipa-custodia reads and writes the DM password hash from cn=config, attribute nsslapd-rootpw. By default root / Directory Manager are allowed to read or change the password hash.

Required permission changes:

old permissions

drwxrwx---. pkiuser pkiuser /etc/pki/pki-tomcat
drwxrwx---. pkiuser pkiuser /etc/pki/pki-tomcat/alias
-rw-------. pkiuser pkiuser /etc/pki/pki-tomcat/alias/cert8.db
-rw-------. pkiuser pkiuser /etc/pki/pki-tomcat/alias/key3.db
-r--------. pkiuser pkiuser /etc/pki/pki-tomcat/alias/pwdfile.txt
-rw-------. pkiuser pkiuser /etc/pki/pki-tomcat/alias/secmod.db
-rw-rw----. pkiuser pkiuser /etc/pki/pki-tomcat/password.conf

new permissions

drwxrwx---. pkiuser root    /etc/pki/pki-tomcat
drwxrwx---. pkiuser root    /etc/pki/pki-tomcat/alias
-rw-rw----. pkiuser root    /etc/pki/pki-tomcat/alias/cert8.db
-rw-rw----. pkiuser root    /etc/pki/pki-tomcat/alias/key3.db
-r--------. pkiuser pkiuser /etc/pki/pki-tomcat/alias/pwdfile.txt
-rw-rw----. pkiuser root    /etc/pki/pki-tomcat/alias/secmod.db
-rw-r-----. pkiuser root    /etc/pki/pki-tomcat/password.conf

Metadata Update from @pvoborni:
- Issue priority set to: major
- Issue set to the milestone: FreeIPA 4.7

2 years ago


  • 6a09704 ipa-custodia: use Dogtag's alias/pwdfile.txt

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone


  • beffa7b Move Custodia secrets handler to scripts

Login to comment on this ticket.