grsecurity forums

[bmcmurphy]

Hi folks,

I'm having a slight issue now that I've upgraded from 2.4.20 to 2.4.23 with grsecurity-1.9.13-2.4.23. When I sftp into my system, I'd like to be able to write to /var/tmp, but not be able to do a directory listing of it. To accomplish this, I have the following ACL:

/ ph {
/ r
/dev
/dev/log r
/dev/null rw
/dev/mem h
/dev/kmem h
/dev/port h
/sbin
/sbin/gradm rx
/bin rx
/lib rx
/usr
/usr/bin/killall
/var
/etc r
/etc/ld.so.cache rx
/etc/grsec h
/etc/shadow h
/etc/localtime r
/var/log a
/var/log/wtmp
/proc r
/proc/kcore h
/boot h
/etc/ssh2
/dev/tty rw
-CAP_ALL

}
}
/bin/login ph {
/sbin/mingetty rx
/etc/passwd r
/etc/shadow r
/var/log/lastlog w
/dev rw
+CAP_SYS_TTY_CONFIG
+CAP_SETGID
+CAP_SETUID
}
/sbin/mingetty ph {
/dev rw
-CAP_ALL
+CAP_SYS_TTY_CONFIG
}
/bin/su {
/etc/passwd r
/etc/shadow r
-CAP_ALL
}
/sbin/init ph {
/dev rw
/sbin/mingetty rx
-CAP_ALL
+CAP_KILL
+CAP_DAC_OVERRIDE
}

/sbin/minilogd {
/dev rw
-CAP_ALL
}
/sbin/syslogd ph {
/dev rw
/sbin/syslogd x
-CAP_ALL
+CAP_SYS_TTY_CONFIG
}
/sbin/klogd ph {
/sbin/klogd x
/var/run rw
/boot r
}
/usr/local/bin/sftp-server ph {
/usr/lib rx
/var/tmp wRWX
/usr/X11R6/lib rx
/xfer/upload rw
/usr/local/bin/sftp-server rxi
}
/usr/local/sbin/sshd2 pho {
/etc/ld.so.cache rx
/ r
/bin/bash xi
/usr/bin/find rxi
/sbin/gradm rx
/bin/cat xi
/bin/mv xi
/dev/log rw
/dev/null rw
/dev/mem h
/dev/kmem h
/lib rx
/var rRWX
/etc r
/etc/grsec h
/var/log a
/var/log/wtmp w
/proc r
/boot h
/dev/tty rw
/usr/local/sbin/sshd2 x
/usr/local/bin/sftp-server x
/home/secft/bin/ssh-dummy-shell rx
/dev rw
/etc/ssh2/random_seed rw
/var/log/lastlog w
/etc/shadow r
/etc/ssh2 r
/xfer/upload rw
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_FOWNER
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
+CAP_SYS_TTY_CONFIG
}

I explicity gave /usr/local/bin/sftp-server only rRWX permissions to /var/tmp. Running "gradm -T /usr/local/bin/sftp-server /var/tmp yields:

Allowed access for /var/tmp from /usr/local/bin/sftp-server:
Read: no
Write: yes
Append: yes
Execute: no
Hidden: no
Inherit ACL on exec: no
Read-only ptrace: no
Audit reads: yes
Audit writes: yes
Audit execs: yes
Audit appends: yes
Audit finds: no
Audit inherits: no

However, I find that when I sftp into the system and cd to /var/tmp, I'm able to list the directory, and put files. Attempts to get the file fail, as expected, with:

denied open of /var/tmp/testfile for reading by (sftp-server:29047) UID(0) EUID(0), parent (sshd2:2857) UID(0) EUID(0)

But attempts to do a directory listing succeed, and furthermore are not audited despite the "RWX" object modes that I placed on /var/tmp.

Am I overlooking something stupid?

Thanks, and keep up the great work Spender! Grsec rules...

[spender]

Listing is a find operation. To disallow finds, the mode should be "h". Of course, if you can't find a file, you can't perform any other operation on the file. You can however have h on a directory and still be able to access files within the directory, though the files need to have their own non-"h" mode. To audit finds, add "F" to the mode.

-Brad