grsecurity forums

Skip to content

Grsec 2.0rc3 acl's have issues?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

Grsec 2.0rc3 acl's have issues?

Postby wolfpaw » Thu Oct 02, 2003 6:14 pm

Hi all :)

Noticed a few oddities with 2.0rc3, wondering if anyone can help with this:

A) Docs? :) The acl's from the 1.9 series do not work well on it
B) Appearently you can't include a directory of ACL's anymore,
they all have to be specified now? Why? :(
C) Inhieritance doesn't appear to work.. unless I am missing something. here is an example:

Default ACL(s)
==========
role admin sA
subject /
/ rwcdmxi

role default G
role_transitions admin
subject /
/ r
/opt rx
/www x
/home rwx
/mnt rw
/dev
/dev/grsec h
/dev/urandom r
/dev/random r
/dev/zero rw
/dev/input rw
/dev/psaux rw
/dev/null rw
/dev/tty? rw
/dev/console rw
/dev/tty rw
/dev/ttyp? rw
/dev/pts rw
/dev/ptmx rw
/dev/dsp rw
/dev/mixer rw
/dev/fd0 r
/dev/cdrom r
/dev/mem h
/dev/kmem h
/dev/port h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/etc/ssh h
/proc rwx
/proc/kcore h
/proc/sys r
/root r
/tmp rw
/var rwx
/var/tmp rw
/var/log r
/var/qmail rx
/var/qmail/queue x
/var/qmail/bin rx
/boot h
/etc/grsec h
/etc/accounts.db

RES_CPU unlimited unlimited
RES_FSIZE unlimited unlimited
RES_DATA unlimited unlimited
RES_STACK unlimited unlimited
RES_CORE unlimited unlimited
RES_RSS unlimited unlimited
RES_NPROC unlimited unlimited
RES_MEMLOCK unlimited unlimited
RES_AS unlimited unlimited
RES_LOCKS unlimited unlimited

-CAP_SYS_TTY_CONFIG
-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_MKNOD
-CAP_SYS_ADMIN
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
-CAP_SYS_PTRACE
-CAP_NET_ADMIN
-CAP_NET_BIND_SERVICE
-CAP_SYS_CHROOT
}

subject /usr/sbin/crond {
/dev/log rw
/var/spool/cron rwx
/var/spool/cron/* rwx
}

** I try the above with / r at the end or beginning, and an o flag and acl's ** wont load

I get this in the log:

Oct 2 16:10:01 ascension kernel: grsec: denied create of /var/spool/cron/cron.root.99 for writing by /usr/sbin/crond[crond:99] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

And with crontab:

subject /usr/bin/crontab {
/var/spool/cron rwxcd
/lib rx
}

and I get this running it:

Oct 2 16:21:48 ascension kernel: grsec: From 207.216.246.118: denied create of /var/spool/cron/crontab.30282 for reading writing by /usr/bin/crontab[crontab:30282] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:28437] uid/euid:0/0 gid/egid:0/0

Can anyone shed some light on this? I think im missing some fundimental understanding of the 2.0 ACL's.. help? :)

Thanks!
Dale.
wolfpaw
 
Posts: 9
Joined: Mon Sep 22, 2003 10:46 am
Top

Postby spender » Mon Oct 06, 2003 8:08 pm

/var/spool/cron rwx
/var/spool/cron/* rwx

you need to add "c" to allow creating of files, and "d" to allow removal of files.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Postby wolfpaw » Mon Oct 06, 2003 11:52 pm

Thanks Brad :) I had figured that out this morning after playing with it for a while :) On to nested subjects now :)

Anyway - thanks again :)
D.
wolfpaw
 
Posts: 9
Joined: Mon Sep 22, 2003 10:46 am
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group