grsecurity forums

[andrew]

Hy, I used learning mode to create the following acl ... but when I enable it (just to test su) it gives me:

$ su -
su: must be run from a terminal

Note: In the learn mode I successfully su-ed root

The acl:

role default
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}

role admin u
role_allow_ip 10.0.0.1/32
subject / {
/ h
/bin/su x
-CAP_ALL
bind disabled
connect disabled
}

subject /bin/su o {
/ h
/bin h
/bin/su x
/dev h
/dev/log rw
/dev/urandom r
/etc r
/etc/ssh h
/etc/grsec h
/lib rx
/proc h
/proc/1114
/usr h
/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/libgcc_s.so.1 rx
/usr/lib/libcrack.so.2.7 rx
/usr/share/zoneinfo/GMT r
/var h
/var/run/utmp rw
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
}


role root uG
role_allow_ip 10.0.0.1/32
subject / {
/ h
/bin h
/bin/bash x
/bin/whoami x
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/lib rx
/proc h
/proc/meminfo r
/sbin h
/sbin/gradm x
/dev
/dev/null w
/dev/tty rw
/dev/urandom r
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
/root/.bash_history r
-CAP_ALL
bind disabled
connect disabled
}

[Thomas80]

SOLVED. Stupid me.

Hi,

I've got the same problem. Any solutions?

Thanks in advance,

Thomas

[Hue-Bond]

>subject /bin/su o {
> /proc/1114

Perhaps not related but think about the next time that su is executed. Probably it won't get the same pid... Always review the generated ACL before using it.