General information about the "Abolish Root Daemons!" source release -------------------------------------------------------------------- This package contains patches and code to let most network software daemons run normally, but without root privileges. Descriptions of files and directories in the dist tree: / Makefile - build asp, set2gid, and testauth asp.c - Authentication Server Process auth.h - ioctl interface for /dev/auth and /dev/authsrvr checkpw.c - programmatic interface to /dev/auth checkpw.h - declarations of authentication routines readme.txt - this file authmod/ - Linux kernel module, implements /dev/auth and /dev/authsrvr Makefile - build authmod.o authmod.c - kernel module code authmod.h - decls for authmod.c kutil.h - generic kernel module utilities mykmalloc.c - debugging kmalloc mykmalloc.h - decls for mykmalloc.c chroot/ - code to test new chroot interface Makefile - build breakchroot and mychroot breakchroot.c - break out a chroot jail mychroot.c - calls chroot() or rename_chroot() mysucap/ - obsolete Linux capability stuff pam_authc/ - PAM module to use /dev/auth Makefile - build pam_authc.o pam_authc.c - module code regression/ - regression tests ta.in1 - input for testauth ta.out1 - expected output for testauth patches/ - patches to daemon code and the kernel bsd-ftpd - patch to BSD-ftpd for linux sshd - patch to ssh-1.2.30 cbpp - kernel patch to implement cbpp group chroot - kernel patch for chroot and rename_chroot setgroups - kernel patch for new setgroups/setresgid Instructions on using this software: 1. Get Linux kernel 2.2.17 working on your system; the sources should be in /usr/src/linux-2.2.17 2. Apply the three kernel patches: % cd patches % patch -p0 < cbpp* % patch -p0 < chroot* % patch -p0 < setgroups* Then recompile and reboot. 3. Create a 'cbpp' group. Add a line to your /etc/rc.d/rc.local (or similar) like this: echo 102 > /proc/sys/kernel/cbpp-gid where 102 is the group id of cbpp. Then execute this command directly to make it take effect now. (Optional) Test the new chroot and setgroups interfaces. The mychroot program can be used to experiment with the former, and testauth experiments with the latter. 4. Get ssh-1.2.30 and apply the ssh patch. Then % ./configure --enable-dev-auth % make Create a new user (say, 'sshd'), chown all the /etc/ssh* files to that user, and run sshd as that user. Make this user's primary group be cbpp. The modified ssh daemon will work only if RSAAuthentication is disabled. A short delay is introduced when sshd attempts to authenticate with an empty password. The pseudoterminal remains owned by 'sshd' instead of the target users. These issues will be fixed in a future version. 5. Get BSD-ftpd-0.3.2 and apply the ftpd patch. Then % make Create a new user (say, 'initftp'), with primary group cbpp. Then arrange (in /etc/inetd.conf) to run ftpd as initftp. Create /etc/sandbox_users with the following contents # for ftp initftp -> ftp This means 'initftp' can become 'ftp' during anonymous FTP sessions. The modified ftp daemon should function normally in all respects. We plan to patch more daemons in the near future to work with our system. If you have a daemon that you'd like ported, let me know. If you have questions, let me know. -Scott McPeak smcpeak@cs.berkeley.edu