grsecurity forums

Here's my proc acl:

/usr/X11R6/bin/XFree86 {
/ rwx
/var/log/XFree86.0.log rwo
+CAP_SYS_RAWIO
+CAP_SYS_MODULE
}

/usr/sbin/sshd hp {
/ rwx
/etc/shadow ro
/var/log/lastlog rwo
+CAP_NET_BIND_SERVICE
}

/usr/bin/ssh {
/ rwx
+CAP_NET_BIND_SERVICE
}

/usr/bin/wine {
/ rwx
+CAP_SYS_RAWIO
}

/usr/bin/wineserver {
/ rwx
+CAP_SYS_RAWIO
}

/usr/bin/cdp {
/ rwx
+CAP_SYS_RAWIO
}

/bin/su {
/ rwx
/etc/shadow ro
}

/bin/login {
/ rwx
/etc/shadow ro
/var/log/lastlog rwo
}

/etc/rc.d/init.d/halt vk {
/ rwx
+CAP_SYS_ADMIN
+CAP_SYS_RAWIO
+CAP_NET_ADMIN
}
/etc/rc.d/rc vk {
/ rwx
+CAP_SYS_ADMIN
+CAP_NET_ADMIN
}

/usr/sbin/httpd {
/ rwx
+CAP_NET_BIND_SERVICE
}

/usr/lib/postfix/master {
/ rwx
+CAP_NET_BIND_SERVICE
}

/usr/sbin/named {
/ rwx
+CAP_NET_BIND_SERVICE
+CAP_SYS_CHROOT
+CAP_SETPCAP
}

/usr/sbin/proftpd {
/ rwx
+CAP_NET_BIND_SERVICE
}

/usr/sbin/xinetd {
/ rwx
+CAP_NET_BIND_SERVICE
}

/usr/local/bin/snort {
/ rwx
/var/log/snort rwo
}

A good suggestion for everyone would be to use a separate partition that will be mounted RO for suid files. This way, you add some extra security since you cannot modify the contents of suid file. I have a /suid partititon that keeps all of my suids and the permissions look like:

drwx--x--x 3 root root 1024 May 10 09:19 suid/

Note that the permissions for root are rwx but that's only for that directory when it was created. Since ro mount option was used, it remains read-only. This way no one can see names for the suids that you have on the system. Well, some known system programs will have symbolic links (like passwd, sendmail, etc.) to /suid, and others that you don't want to expose will be hidden.

The ACL system can already deny the ability to write to any file you like, so you don't need to do this. Just make sure that there is no write access to /bin /sbin /usr/bin /usr/sbin /lib..etc and then no binary can be changed at all, suid or not. =)

btw don't use the rules above, they were for a very early version of the ACL system.

-Brad

maybe you have some of yours acl's??