object globbing

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

object globbing

Postby msw » Sat Sep 20, 2003 10:00 pm

hi.

i just tested a little bit with acls (grsecurity 1.9)
i want to deny a user from creating (writing) a file in a directory which is writeable for him.

/ {
/ r
...
...
/home rwx
/home/userdir/file r
}

this works fine.
the user can write/edit/read files in "userdir" but isn't able to create/modify/delete "file".

but i want to do this for all users.
i simply set up this acl:

/ {
/ r
...
...
/home rwx
/home/*/file r
}

it seems, that in this statement it isnt possible to drop write privileges in a directory which has read/write privileges.
the way around works: home dir readable only (therefore all sub-directories readable only, in every sub-directory "file" can be made writeable).

Is there a possibility to keep all users from creating modifying some special file in their writeable home-directory without the need of having an object statement for every user-directory?
msw
 
Posts: 8
Joined: Sat Sep 20, 2003 9:36 pm

Return to grsecurity support