Move DESIGN and README to root directory.
This commit is contained in:
Nicholas J. Kain
parent
b2daf09c10
commit
15f6bb66ee
@ -1,19 +1,17 @@
|
|||||||
ifchd, copyright (c) 2004 Nicholas Kain. Licensed under GNU GPL.
|
ifchd, copyright (c) 2004-2010 Nicholas Kain. Licensed under GNU GPL.
|
||||||
|
|
||||||
Requirements:
|
Requirements:
|
||||||
|
|
||||||
Linux kernel (tested: 2.4, 2.6)
|
Linux kernel (tested: 2.4, 2.6)
|
||||||
* libcap is required (available via ftp.kernel.org)
|
* libcap is required (available via ftp.kernel.org)
|
||||||
|
|
||||||
C99-compliant C compiler (for C99 struct subobject init)
|
C99-compliant C compiler (for C99 struct subobject init)
|
||||||
* any modern GCC should be sufficient
|
* any modern GCC should be sufficient
|
||||||
|
|
||||||
Tested with glibc 2.2.x and 2.3.x. dietlibc is not compatible. I have not yet
|
Tested with glibc 2.2.x and 2.3.x. dietlibc is not compatible. I have not yet
|
||||||
tested uclibc.
|
tested uclibc.
|
||||||
|
|
||||||
I may bother to port to other operating systems, but don't count on it. Other
|
I may bother to port to other operating systems, but don't count on it.
|
||||||
OSes lack the functionality of a [RSBAC|SELinux]+PaX enabled kernel, so I find
|
|
||||||
them to be less useful for a highly secured system.
|
|
||||||
|
|
||||||
INTRODUCTION
|
INTRODUCTION
|
||||||
------------
|
------------
|
||||||
@ -58,7 +56,7 @@ Patches that provide support for new systems are welcome.
|
|||||||
USAGE
|
USAGE
|
||||||
-----
|
-----
|
||||||
|
|
||||||
1) Compile and install ifchd and ndhc.
|
1) Compile and install ifchd and ndhc.
|
||||||
a) Build ifchd with "make"
|
a) Build ifchd with "make"
|
||||||
b) Enter ndhc directory and build ndhc with "make"
|
b) Enter ndhc directory and build ndhc with "make"
|
||||||
c) Install the ifchd and ndhc executables in a normal place. I would
|
c) Install the ifchd and ndhc executables in a normal place. I would
|
||||||
@ -67,36 +65,36 @@ USAGE
|
|||||||
2) Time to create the jail in which ifchd and ndhc will run.
|
2) Time to create the jail in which ifchd and ndhc will run.
|
||||||
a) Become root and create new group "ifchd".
|
a) Become root and create new group "ifchd".
|
||||||
|
|
||||||
$ su -
|
$ su -
|
||||||
# umask 077
|
# umask 077
|
||||||
# groupadd ifchd
|
# groupadd ifchd
|
||||||
|
|
||||||
b) Create new users "ifchd" and "dhcp". The primary group of these
|
b) Create new users "ifchd" and "dhcp". The primary group of these
|
||||||
users should be "ifchd".
|
users should be "ifchd".
|
||||||
|
|
||||||
# useradd -d /var/lib/ndhc -g ifchd ifchd
|
# useradd -d /var/lib/ndhc -g ifchd ifchd
|
||||||
# useradd -d /var/lib/ndhc -g ifchd dhcp
|
# useradd -d /var/lib/ndhc -g ifchd dhcp
|
||||||
|
|
||||||
b) Create the jail directory and set its ownership properly.
|
b) Create the jail directory and set its ownership properly.
|
||||||
|
|
||||||
# mkdir /var/lib/ndhc
|
# mkdir /var/lib/ndhc
|
||||||
# chown ifchd.ifchd /var/lib/ndhc
|
# chown ifchd.ifchd /var/lib/ndhc
|
||||||
# chmod a+rx /var/lib/ndhc
|
# chmod a+rx /var/lib/ndhc
|
||||||
|
|
||||||
c) Create a urandom device for ndhc to use within the jail.
|
c) Create a urandom device for ndhc to use within the jail.
|
||||||
|
|
||||||
# cd /var/lib/ndhc
|
# cd /var/lib/ndhc
|
||||||
# mkdir dev
|
# mkdir dev
|
||||||
# mknod dev/urandom c 1 9
|
# mknod dev/urandom c 1 9
|
||||||
# chown -R root.root dev
|
# chown -R root.root dev
|
||||||
# chmod a+rx dev
|
# chmod a+rx dev
|
||||||
# chmod a+r dev/urandom
|
# chmod a+r dev/urandom
|
||||||
|
|
||||||
d) (optional) If you wish for logging to properly work, you
|
d) (optional) If you wish for logging to properly work, you
|
||||||
will need to properly configure your logging daemon so that it
|
will need to properly configure your logging daemon so that it
|
||||||
opens a domain socket in the proper location within the jail.
|
opens a domain socket in the proper location within the jail.
|
||||||
Since this varies per-daemon, I cannot provide a general
|
Since this varies per-daemon, I cannot provide a general
|
||||||
configuration.
|
configuration.
|
||||||
|
|
||||||
3) At this point the jail is usable; ifchd and ndhc are ready to
|
3) At this point the jail is usable; ifchd and ndhc are ready to
|
||||||
be used. As an example of a sample configuration, here is my
|
be used. As an example of a sample configuration, here is my
|
||||||
@ -106,14 +104,14 @@ USAGE
|
|||||||
|
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
case "$1" in
|
case "$1" in
|
||||||
start)
|
start)
|
||||||
ifchd -i eth0 -p /var/run/ifchd.pid -u ifchd -g ifchd -U dhcp -G ifchd \
|
ifchd -i eth0 -p /var/run/ifchd.pid -u ifchd -g ifchd -U dhcp -G ifchd \
|
||||||
-c /var/lib/ndhc &> /dev/null
|
-c /var/lib/ndhc &> /dev/null
|
||||||
ndhc -b -i eth0 -u dhcp -C /var/lib/ndhc &> /dev/null
|
ndhc -b -i eth0 -u dhcp -C /var/lib/ndhc &> /dev/null
|
||||||
;;
|
;;
|
||||||
stop)
|
stop)
|
||||||
killall ndhc ifchd
|
killall ndhc ifchd
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
--END--
|
--END--
|
||||||
@ -138,22 +136,6 @@ ifchd can be set such that it only allows clients to configure particular
|
|||||||
network interfaces. The --interface (-i) argument does the trick, and may
|
network interfaces. The --interface (-i) argument does the trick, and may
|
||||||
be used multiple times to allow multiple interfaces.
|
be used multiple times to allow multiple interfaces.
|
||||||
|
|
||||||
RSBAC NOTES
|
|
||||||
-----------
|
|
||||||
|
|
||||||
I was personally unable to get ifchd to properly function with RSBAC_NET_DEV
|
|
||||||
enabled. Browsing the rsbac source, I was unable to figure out what I was
|
|
||||||
doing incorrectly -- my RC definitions were as far as I could tell, correct.
|
|
||||||
Therefore, my directions assume that you have disabled RSBAC_NET_DEV in your
|
|
||||||
kernel configuration.
|
|
||||||
|
|
||||||
The normal usage directions may be followed, but an additional step for rsbac
|
|
||||||
is necessary. Change to your secoff account and invoke rsbac_fd_menu on the
|
|
||||||
ifchd and ndhc executables. The AUTH capability for your ifchd and dhcp groups
|
|
||||||
must be allowed on the corresponding executables, otherwise ifchd and ndhc will
|
|
||||||
be unable to change to a non-root user and will refuse to run.
|
|
||||||
|
|
||||||
|
|
||||||
GRSECURITY NOTES
|
GRSECURITY NOTES
|
||||||
----------------
|
----------------
|
||||||
|
|
||||||
@ -188,4 +170,3 @@ nonstandard semantics (notably Solaris). On these systems, using the
|
|||||||
system-provided implementations may lead to security problems. Such problems
|
system-provided implementations may lead to security problems. Such problems
|
||||||
are the fault of the vendor. If you are unsure whether your system is correct
|
are the fault of the vendor. If you are unsure whether your system is correct
|
||||||
or not, I suggest using the implementation that I provide.
|
or not, I suggest using the implementation that I provide.
|
||||||
|
|
||||||
Loading…
x
Reference in New Issue
Block a user