Next Previous Contents

4. LIDS Administration

4.1 How do I set my LIDS password?

Before you reboot into your LIDS enhanced kernel, enter the following at the command prompt:

# lidsadm -P

You will then be prompted for a LIDS password:

MAKE
enter password:
Verifying enter password:

This will write your RipeMD-160 encrypted password to the /etc/lids/lids.pw file.

4.2 How do I change my LIDS password once it is set?

You must first create a LIDS free session. Then set your password using the "-P" option just like you did the first time (you will not be prompted for your current password). After resetting your LIDS password, you must tell LIDS to reload its configuration files.

4.3 What is a LIDS free session and how do I create one?

A LIDS free session (LFS) is a terminal session that is not restricted by LIDS. This option is available so you can administer your system without having to reboot into a non-LIDS kernel. In order for this to work, you must have selected this option when you compiled your LIDS enhanced kernel:

  [*] Allow switching LIDS protections
To create an LFS, enter the following at the prompt:

# lidsadm -S -- -LIDS

You will then be prompted for your LIDS password. This terminal is now LIDS free. It will remain LIDS free until you:

You can only have one LFS active at any one time. Even though lidsadm -S -- -LIDS will not fail if entered on another terminal, you can have only one LFS.

4.4 I created a LIDS free session, but LIDS still appears to be active! What's wrong?

This can happen if you create an LFS on a virtual console and then switch to another virtual console and try to administer your machine. To clear it up, try enabling LIDS and then disabling it again (entering passwords when prompted):

# lidsadm -S -- +LIDS
# lidsadm -S -- -LIDS

4.5 How do I tell LIDS to reload its configuration files?

In order for LIDS to be able to reload its configuration files, you must enable this option when you configure your LIDS enhanced kernel:

  [*]  Allow switching LIDS protections
  (3)    Number of attempts to submit password
  (30)     Time to wait after a fail (seconds)
  [ ]    Allow remote users to switch LIDS protections
  [ ]    Allow any program to switch LIDS protections
  [*]    Allow reloading config. file   <----------------------------

NOTE: You must allow switching LIDS protections in order to enable reloading of configuration files.

From an LFS (or with LIDS_GLOBAL disabled), execute the following command to instruct LIDS to reload its configuration files:

# lidsadm -S -- +RELOAD_CONF

This will reload the following configuration files:

4.6 Help!!! My system is totally unusable! What do I do?

You can reboot into a non-LIDS enhanced kernel, or boot into your LIDS enhanced kernel with LIDS disabled to try and patch things up. To boot with LIDS disabled, specify security=0 at the lilo prompt. For example, if your LIDS enhanced kernel is called lids-kernel you would enter the following at the lilo prompt:

lilo: lids-kernel security=0

That's the easy part. The difficult part is getting your LIDS enabled system to shutdown. You may not be able to shutdown successfully depending on your LIDS configuration.

WARNING: Rebooting your LIDS enabled system when it is not properly configured can cause file system corruption and/or loss of data!!

4.7 I've updated/moved a system binary. How do I tell LIDS that the file changed/moved?

Whenever the device that a file resides on, or a file's inode number changes, you must update your /etc/lids/lids.conf file with the proper information. Fortunately, Xie has provided us with an option just for this occasion:

# lidsadm -U

You must then reload the configuration files.

4.8 OK, without rebooting, how do I completely disable LIDS?

Besides using an LFS, LIDS can be turned off globally. This will only work if you compiled the option into your kernel.

# lidsadm -S -- -LIDS_GLOBAL

When LIDS_GLOBAL is disabled, your system will operate like a "normal" Linux system. To re-enable LIDS globally, perform the opposite:

#lidsadm -S -- +LIDS_GLOBAL

NOTE: This will not affect your LFS if you currently have one enabled.

4.9 What does it mean to "seal the kernel"?

At the end of the bootup process, you should seal the kernel. This sets the global capabilities on your system according to your /etc/lids/lids.cap file. File ACLs are enforced even before the kernel is sealed, however. To seal the kernel, put the following at the end of your rc.local (assuming SysV style init):

/sbin/lidsadm -I

The "-I" option is only used to seal the kernel. After it's sealed, you must use the "-S" option to make changes to your system.

WARNING: If you do not seal your kernel at boot time, you will not receive the full benefits of a LIDS enhanced system.

4.10 How do I view the status of my LIDS system?

In order to use the "-V" option, you must have compiled lidsadm with make VIEW=1 (see above).

At the command line, enter:

# lidsadm -V

This will produce output similar to the following on a 2.2.x kernel:

VIEW
                     CAP_CHOWN 0
              CAP_DAC_OVERRIDE 0
           CAP_DAC_READ_SEARCH 0
                    CAP_FOWNER 0
                    CAP_FSETID 0
                      CAP_KILL 0
                    CAP_SETGID 0
                    CAP_SETUID 0
                   CAP_SETPCAP 0
           CAP_LINUX_IMMUTABLE 0
          CAP_NET_BIND_SERVICE 0
             CAP_NET_BROADCAST 0
                 CAP_NET_ADMIN 0
                   CAP_NET_RAW 0
                  CAP_IPC_LOCK 0
                 CAP_IPC_OWNER 0
                CAP_SYS_MODULE 0
                 CAP_SYS_RAWIO 0
                CAP_SYS_CHROOT 0
                CAP_SYS_PTRACE 0
                 CAP_SYS_PACCT 0
                 CAP_SYS_ADMIN 0
                  CAP_SYS_BOOT 1
                  CAP_SYS_NICE 0
              CAP_SYS_RESOURCE 1
                  CAP_SYS_TIME 0
            CAP_SYS_TTY_CONFIG 0
                    CAP_HIDDEN 1
                 CAP_INIT_KILL 0
                   LIDS_GLOBAL 1
                               0
                   RELOAD_CONF 0
                          LIDS 0

As you can see from the output above, this system has an LFS active. However, LIDS is enabled globally. The items with a "1" next to them are enabled, and those items with a "0" next to them are disabled. Except for the last two capabilities, root normally has all of the above capabilities. Thanks to LIDS, root only has capabilities CAP_SYS_BOOT, CAP_SYS_RESOURCE, and CAP_HIDDEN in this particular case (NOTE: CAP_HIDDEN isn't a capability provided by the standard Linux kernel).

4.11 How do I configure the port scan detector in LIDS?

You don't. As long as you selected the option when you configured your LIDS enhanced kernel, the port scan detector is enabled.

   [*]  Port Scanner Detector in kernel

4.12 What are the subject and object in a LIDS ACL?

The subject is a program that can run on a Linux system, such as a binary or shell script. The object is what the subject wants to access. This includes files, directories, capabilities, etc.

4.13 Can I enable/disable a system capability without modifying /etc/lids/lids.cap and reloading the configuration files?

Yes. However, this method will not save the changes past system shutdown.

To enable a capability:

# lidsadm -S -- +CAP_SYS_ADMIN

To disable a capability:

# lidsadm -S -- -CAP_SYS_ADMIN

4.14 I've reconfigured my LIDS ACLs, but my changes don't seem to take effect. What's wrong?

There are two things you should do when re-configuring LIDS:

  1. Reload the configuration files.
  2. Restart the service or services that your changes affected.

4.15 Why won't lidsadm -L list my ACLs?

lidsadm -L must be used from an LFS or when LIDS_GLOBAL is disabled. If neither of those conditions are true, you will see the following error message:

lidsadm: can not open conf file
reason:: Permission denied
LIST

4.16 Is there anyway to reduce the number of LIDS violations that get reported on the console?

Yes. The syslog init script can be modified to start klogd with the "-c" option. This options sets the default level of system messages that get logged to the console. Any message with a value less than the value specified will appear on the console (see include/linux/kernel.h).

For example:

klogd -c 4

Tells klogd to log all messages below level 4 will be logged to the console.

4.17 Should I be concerned about the LD_PRELOAD environment variable with LIDS?

Yes. For setuid programs, the LD_PRELOAD env var is "cleansed" so that it can't affect the libraries loaded by a program (with the exception of recent glibc vulnerabilities).

Problems arise when you grant special capabilities or file access permissions to non-setuid binaries. Since the LD_PRELOAD env var isn't "cleansed" before loading libraries, someone with malicious intent could load a trojaned library and it would have the same special capabilities/file access permissions that were given to the original program.

Possible options to reduce your risk:

4.18 When I boot up, the message "read password file error" appears. How do I fix the problem?

This happens when you forget to set the LIDS password before booting into LIDS the first time. To fix the problem, reboot your machine (see booting an unusable system) and set your LIDS password.


Next Previous Contents