How to run somethings but without permissions to "by&qu

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

How to run somethings but without permissions to "by&qu

Postby shimano » Tue Jan 25, 2005 5:24 pm

Hi!

I have a program /bin/something, which is generally hidden, that is

/ {
/bin/something h
}


and a script /bin/exec_something.php based on /usr/php-cgi/bin/php, which sets up by it's code /bin/something using function system() and/or shell_exec(). Of course I've set an access of the script to /bin/something, and that is

subject /bin/exec_something.php {
/bin/something rx
}


Unfortunately system() and shell_exec() perform commands from shell level and I get info:

(default:D:/bin/bash) denied access to hidden file /bin/something by /bin/bash[sh:12129] uid/euid:0/0 gid/egid:0/0, parent /bin/exec_something.php[exec_something.php:13600] uid/euid:0/0 gid/egid:0/0

Is it possible to make PHP script /bin/exec_something.php run the program /bin/something but without giving the access for /bin/bash ?
shimano
 
Posts: 1
Joined: Tue Jan 25, 2005 4:17 pm
Location: Poland/Zach-Pom/Swinoujscie

Postby Raf256 » Tue Oct 04, 2005 10:34 am

Dunno if that will help, but there where some shells that can allow only predefined programs, and all other "illegal" instructions (or attempts to bypass the restriction) should be stoped

btw - what exacly do that rule do, it allows a program to execute other program? If I want to use it, where should I write the text you posted? Can I give simmilar restrictions to a user (like: user can or cant execute a program)? Where from do You learn grsecurity?
Raf256
 
Posts: 72
Joined: Mon Sep 19, 2005 8:38 pm
Location: Europe

Postby spender » Wed Oct 05, 2005 6:39 pm

You could use the nested subject functionality so that you could add a nested subject for /bin/bash that would only be applied when your php script executes bash (or another script) and in that /bin/bash subject you can restrict which files bash can open (and thus, which scripts it is allowed to execute)

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby andutt » Thu Oct 06, 2005 4:22 am

Code: Select all
subject /bin/exec_something.php:/bin/bash:/bin/something: {
/var/log/messages r
}
andutt
andutt
 
Posts: 21
Joined: Mon Dec 16, 2002 4:20 am

Re: How to run somethings but without permissions to "b

Postby Hue-Bond » Tue Feb 28, 2006 5:26 pm

shimano wrote:Is it possible to make PHP script /bin/exec_something.php run the program /bin/something but without giving the access for /bin/bash ?


Yes, it is. This is a PHP question, not a grsec one. Use exec() instead of system() or shell_exec().
Hue-Bond
 
Posts: 34
Joined: Mon Dec 13, 2004 4:31 pm


Return to RBAC policy development