grsecurity forums


http://forums.grsecurity.net/

Creating a mini-root role

http://forums.grsecurity.net/viewtopic.php?f=5&t=2277

Page 1 of 1

Creating a mini-root role

PostPosted: Thu Apr 08, 2010 4:58 pm
by chaoticmachinery
Hello,

I would like to create a "mini-root" role in which it can do all things but:
1) alter files under /var/log
2) unable to alter grsecurity

Is something like this possible?

If so could you point me in the right direction to create the role? Just looking for an example.

Thanks,

CM

Re: Creating a mini-root role

PostPosted: Thu Apr 08, 2010 6:17 pm
by spender
It's not possible if you really mean "do all things." The problem is that even ignoring the problem of kernel exploits, unless you restrict this role considerably, it ends up being equivalent to full root, and thus able to alter grsecurity and edit /var/log. One simple example (though there are dozens or hundreds more): CAP_SYS_MODULE. With this capability, you have arbitrary code execution in the kernel, and so can disable/alter grsecurity, give yourself permission to alter any file, give yourself any of the other capabilities, etc.

So without considerable restriction (like the kinds of restrictions that the RBAC system enforces on non-special roles by default) such a role would almost entirely create a false sense of security.

-Brad
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/