grsecurity forums

Hi,

is it possible to use wildcards inside of ACLs? I would like to give sshd on /home/*/.ssh/authorized_keys read access. And inserting it for every user is... well... not acceptable?

If it is not yet in grsecurity, will it be implemented in the future?

Thanks

not in there, and won't be implemented in the future. If you want that, use systrace when it gets ported to Linux, and take with it its problems and significantly greater performance hit (see how much your loaded network server likes it similar applications of the same idea as systrace have performance hits up to 70%...If I had the link to the research, I'd paste it.)

-Brad

I'd suggest writing your ACL set as a script if you want something like that.

I'm freestyling (so this example may contain bugs) but something like create a genACL.sh containing:

cat <<EOF
THE REST OF YOUR ACLs GO HERE

/usr/bin/ssh {
EOF
ls /home | awk '{print "/home/" $1 "/.ssh/authorized_keys"
echo }


Then every time you add/remove a user, run this script like

./genACL.sh > /etc/grsec/acl

Then of course, reload your ACL set.

Thanks for your replies.

Concerning the script proposal: Hmm, that would be a solution (a more or less ugly hack solution, but it would be one ). I think, that's the way to go for me. Thank you.