When using the mac_biba module, only root processes that are capable of attaining biba/equal status are considered privileged. Among the privileges to be lost for processes that cannot attain biba/equal is the ability to set the login class of the process. When sshd sets the user's context upon successful authentication (session.c:1494), both the user's login class and the corresponding MAC label are set in the same call to setusercontext. Since this isn't an atomic function, it's possible for the MAC label to be set before the login class (in my case, this certainly happens.) Therefore, if the login class of the user logging in has a MAC label in /etc/login.conf incompatible with biba/equal (e.g. biba/high(high-high)) then the login class might not be set (in my case it *doesn't* get set.) This can cause unexpected behavior for tools that can be configured by login class, e.g. rctl. My proposed solution is to separate context-setting into two calls to setusercontext, with the first call setting all but LOGIN_SETMAC, and the second call setting only LOGIN_SETMAC. I've included a patch, which works on my system. Fix: Patch /usr/src/crypto/openssh/session.c so that the MAC label is explicitly set after the login class is set. Patch attached with submission follows: How-To-Repeat: - Enable mac_biba. - Set the MAC label of a login class to ":label=biba/high(high-high):" in /etc/login.conf and run cap_mkdb. By default, sshd will probably run under the "default" login class; therefore, use a different login class so that a change in login class is required upon login. - Log in remotely as a user who is a member of the login class modified in the step above. The login should succeed. - Look at /var/log/messages for a message regarding setloginclass, and/or use `ps -o class -aux | grep sshd` to verify that the login class hasn't been set properly for the logged-in user.
(The following comment did not carry over when the bug report was migrated to the new system.) From: Kevin Barry <ta0kira@gmail.com> [submitter] To: bug-followup@FreeBSD.org, ta0kira@gmail.com Date: Sun, 7 Apr 2013 23:50:35 -0400 I submitted this bug report earlier, and since then I've noticed that /usr/bin/login suffers from the same problem. I've therefore made a change to libutil to make setusercontext set the MAC label right before the uid change. I've attached a separate patch that should universally fix the problem. This also makes my previous sshd patch obsolete. Incidentally, this should be reclassified as a bug in libutil.
(The following comment did not carry over when the bug report was migrated to the new system.) From: Kevin Barry <ta0kira@gmail.com> [submitter] To: bug-followup@FreeBSD.org, ta0kira@gmail.com Date: Fri, 12 Apr 2013 15:20:10 -0400 Here's a new patch for login_class.c. As far as I can tell there is no reason to require that a passwd entry be specified in order to set the MAC label; therefore, I removed that requirement. Additionally, the current implementation silently fails to set the MAC label when the pwd argument is NULL, and silent failure when it comes to security isn't a good thing. While not directly related to the original problem, it's related to the underlying issue, which is that the handling of MAC labels in setusercontext has several bugs in need of fixing.
I will try to look into this.
Created attachment 221063 [details] libutil patch updated for 12.2-RELEASE
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>