Using both group and user roles?

Discuss and suggest new grsecurity features

Using both group and user roles?

Postby mnalis » Mon Dec 02, 2013 5:35 am

Would it be possible to add a new mode for the user roles, which would allow using BOTH group and user roles? Currently if i create user role, the group role that also matches that user is completely ignored. I'd like a mode for the user role (for example, "role someuser uM" - "M" as merge or whatever) - in which both group (matching GID) and user (matching UID) roles being effective, with anything specified in user role obviously overriding anything specified in group role.

I have hundreds of users in the same group, and while 95% of the users can be covered by very restrictive group role, few dozen cannot. As a simple example of what I mean (the real thing is much more complex of course), I might want to disable executing '/usr/sbin/sendmail' for most of them (in group role), but few users should be allowed to do it, while all the other restrictions specified for the group still apply.

Currently I have the option the write user roles for them (which contain copy/pasted 99% of the group role restrictions, and just one or few exceptions), but that leads to massive duplication of definitions.
Or (if simplicity and maintainibility are more important to me) I can lower the restrictions for whole group, which is also wrong...

I've tried working around this with includes - unfortunatelly it does not help much, as I cannot override things with them ("duplicate subject..." etc.)
mnalis
 
Posts: 57
Joined: Fri Sep 29, 2006 11:23 am

Return to grsecurity development