grsecurity forums

Skip to content

Inheriting from parent directories that are mountpoints

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

Inheriting from parent directories that are mountpoints

Postby bmcmurphy » Wed May 19, 2004 9:55 am

Quick question. I have an rsync process that is run from cron. With the following ACLs, rsync was unable to see the files in /home/secft/download

Code: Select all
subject /usr/bin/rsync o {
        /                               h
        /etc                            r
        /etc/ssh                        h
        /etc/grsec                      h
        /etc/shadow                     h
        /home                           h
        /home/secft/download            rwcd
        /lib                            rx
        /usr                            h
        /usr/bin/rsync                  x
        /usr/bin/ssh                    x
        /root
        +CAP_ALL
        bind    disabled
        connect disabled
}


This wouldn't have been so bad, except that nothing turned up in the logs. After I added the folllowing there was much joy:

Code: Select all
 /home/secft                     r   


I suspect this is tied up with the fact that /home/secft is a mountpoint. There was another post referring to a somewhat similar issue with mountpoints (
http://forums.grsecurity.net/viewtopic.php?t=396&highlight=mount+point)

My first question is whether it is true that mountpoints don't inherit ACLs from their parent directories. My other, more important (to me) question is why nothing appeared in the logs when rsync tried to list files in /home/secft/download?

Cheers, and keep the great work Grsec and PAX teams!

BMcMurphy
bmcmurphy
 
Posts: 13
Joined: Wed Dec 11, 2002 10:53 am
Top

One more try...

Postby bmcmurphy » Wed Jun 16, 2004 8:17 am

Hi all,

Just wanted to ask this question one last time now that Spender is back in business :)

Cheers

BMC
bmcmurphy
 
Posts: 13
Joined: Wed Dec 11, 2002 10:53 am
Top

Postby spender » Wed Jun 16, 2004 8:40 am

It has nothing to do with mountpoints, but simply that if a program is relying on some directory listing system call to obtain the list of files to access in a directory, the parent directory of the one being listed cannot be hidden. The reason for this is that in doing the directory listing, the .. link is followed to the parent directory, which cannot be viewed, so the directory listing ends after the . link. I will see what I can do about removing the restriction of having to have the parent directory viewable for a given directory to be viewable.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group