grsecure2 acl and system acl

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

grsecure2 acl and system acl

Postby Terra » Thu Sep 30, 2004 8:46 am

sorry for stupid question, but grsecure object modes override system (ext2) modes or not? I want allow to one process read some directories, but can't modify ext2 permissions for these directories.
Terra
 
Posts: 9
Joined: Fri Apr 11, 2003 5:18 pm

Postby Terra » Thu Sep 30, 2004 11:43 am

ok, how i understand grsecurity can deny access which allowed by file mode, but can't allow access denied by file mode. Yes?
.
Nice solution for me - use extended attributes patch. But i can't merge this patch with grsecurity patch for 2.4 kernel and no new grsecurity patch for 2.6 kernel (i can't use 2.6.7 because there serious acapi bugs)
May be someone merge this patches for 2.4?
Terra
 
Posts: 9
Joined: Fri Apr 11, 2003 5:18 pm

Postby torne » Sat Oct 02, 2004 3:15 pm

If you want only one process to be able to access a directory, block access to it from your default ACL then override it just for that process. You don't need EA.
torne
 
Posts: 54
Joined: Mon Aug 12, 2002 12:52 pm

Postby Terra » Mon Oct 04, 2004 9:49 am

I use grsecurity as second protection system, not main. If grsecurity fail to start or was disabled due some service - users mast not get access to closed directory. System acl must deny this. If i deny access vie default rbac acl, system acl must allow this access (for one process, which alloed in rbac also). It's no god.
Terra
 
Posts: 9
Joined: Fri Apr 11, 2003 5:18 pm

Postby torne » Mon Oct 04, 2004 10:43 am

Then don't use it like that. If it fails to start, abort booting the machine, and don't allow it to be disabled.
torne
 
Posts: 54
Joined: Mon Aug 12, 2002 12:52 pm

Postby Terra » Mon Oct 04, 2004 10:51 am

it's remote server =) if i abort to boot, i must go to another office for make fixes. Server can't stay offline much time. May be, I try to use this solution until grsecurity for 2.6.8 kernel...
Terra
 
Posts: 9
Joined: Fri Apr 11, 2003 5:18 pm

Postby torne » Mon Oct 04, 2004 12:02 pm

If grsec won't start you have major problems anyway, remote or not. There's not a lot of point in having a security system if you let the machine start without it..
torne
 
Posts: 54
Joined: Mon Aug 12, 2002 12:52 pm

Postby Terra » Tue Oct 05, 2004 2:55 am

simply mistake in start-up files, and grsec fail to start and users take dangerous permissions... it's not good.
grsec rbac, imho, needs for additional securing, in first hand, for prevention some attacks for get root if some bugs will be found, but not fixed on system.
usage grsec for users-access managment without system acl more dangerous because grsec rbac not start with kernel
Terra
 
Posts: 9
Joined: Fri Apr 11, 2003 5:18 pm

Postby Terra » Wed Oct 06, 2004 4:49 am

and... sorry
if i deny access for all users and allow only one process, how user can get access to own directory? Write "u" subject for each user with allow acces to home directory and deny to others? IMHO, it's too overhead for fhree-four hundred users.
Terra
 
Posts: 9
Joined: Fri Apr 11, 2003 5:18 pm


Return to grsecurity support