Hi
After getting learning acl's to work properly with grsecurity2, I finally managed to have a learnt acl that seems fairly decent.
however, i'm a bit confused about some things...
I, of course, have a default acl that allows some amount of things.
Then I have a users acl that allows a bit more.
However, I'm a bit confused about how that works...my user is in users, if I (with a program not explicitly allowed or denied) try to access some files not explicitly allowed by the / subject acl of role users but explicitly allowed by the default acl, will I get access to them then or not?
So I guess the real question is: Is there role inheritance, or is the matching limited to only the first match?
I.e. if something doesn't match in user acl (i.e. neither allowed, nor denied, will group acl be tested, and will default acl then be tested?
It makes quite a big difference wrt. duplicate entries and such (And I'm not fond of trying enabling the acl without knowing...)
Regards,
Jens Andersen
Inheritance in grsecurity2
4 posts
• Page 1 of 1
Inheritance in grsecurity2
by RaYmAn » Sun Jul 27, 2003 1:04 pm
- RaYmAn
- Posts: 9
- Joined: Thu Jul 10, 2003 8:08 am
by spender » Sun Jul 27, 2003 7:46 pm
Rule lookups will not fall back on group/default roles. The only time something similar to that will happen is when the role is applied to a user. If a user role for them exists, that will be applied, otherwise a group role if it exists, otherwise the default role. Inheritance (as it applies to configuration) is only done on a subject basis (falling back to subjects of parent paths, if they exist).
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
by RaYmAn » Tue Jul 29, 2003 10:59 am
Hi
What if for example I have a group users, which my user has as 'primary' group..then I have a group trusted which grants access to a little bit more(such as gradm authentication). my user is a member of that group.
How will the matching happen then?
say I try to authenticate with gradm -a, will "users" acl be applied or will "trusted" acl be applied, and hence denied or granted access?
I'm guessing it will be "users" acl that apply..if so I have a feature request: Possibility to define sub-roles i.e. trusted role is a sub-role (group) of users, hence granting access to what 'users' give access to but also what trusted gives access to. (trusted takes preference over users since it's a sub-role)
Would that be possible?
Regards, Jens Andersen
What if for example I have a group users, which my user has as 'primary' group..then I have a group trusted which grants access to a little bit more(such as gradm authentication). my user is a member of that group.
How will the matching happen then?
say I try to authenticate with gradm -a, will "users" acl be applied or will "trusted" acl be applied, and hence denied or granted access?
I'm guessing it will be "users" acl that apply..if so I have a feature request: Possibility to define sub-roles i.e. trusted role is a sub-role (group) of users, hence granting access to what 'users' give access to but also what trusted gives access to. (trusted takes preference over users since it's a sub-role)
Would that be possible?
Regards, Jens Andersen
- RaYmAn
- Posts: 9
- Joined: Thu Jul 10, 2003 8:08 am
4 posts
• Page 1 of 1