globbling *.php *.pl etc..

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

globbling *.php *.pl etc..

Postby cookiemonster » Wed Jun 25, 2008 5:54 pm

I've been trying to gobble all php applications within a directory as a subject and I'm not getting through. Just to make sure, is possible to do something like this :

Code: Select all
subject /var/www/*/*.php {
    / h
    -CAP_ALL
}


Cookiemonster
cookiemonster
 
Posts: 8
Joined: Wed Jun 25, 2008 1:15 pm

Re: globbling *.php *.pl etc..

Postby spender » Thu Jun 26, 2008 12:43 pm

Globbed subjects are not currently supported. If it's possible, try reorganizing your directory structure so the php scripts can have a directory-based policy on them, or create a more general directory-based subject for the php scripts, and specific subjects for other executables in the same directory that you wish to have a different policy on.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: globbling *.php *.pl etc..

Postby cookiemonster » Fri Jun 27, 2008 9:51 am

Brad,

Ouch! I have around 146 websites and more coming...lol. It will be tough to manage. Is it possible to implement PAM in reverse ? Can a user be assigned a password-less role directly/automatically through PAM or any other methode without prior using gradm?

I know we can create passwordless roles and inherit them through "gradm", I can do this with php scripts through a cgi-wrapper but I lose alot of performance that way, is there any other way I can do this ?

Thanks in advance,

BTW, I LOVE GRSECURITY !!!!!!!

CookieMonster
cookiemonster
 
Posts: 8
Joined: Wed Jun 25, 2008 1:15 pm

Re: globbling *.php *.pl etc..

Postby spender » Fri Jun 27, 2008 10:10 am

A comment/question not exactly related to your recent post:
These scripts you've mentioned, are they being executed directly? That is, they're not executed by using <interpreter> <script> or loaded using some webserver module, but directly as <script> with the #!<interpreter> contents in the file.
The reason I ask is that unless they're being executed directly, any attempts to create policies on them will be meaningless, and need to be done on the interpreter/webserver instead.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron