Wildcards in object

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Wildcards in object

Postby FloFri » Wed Jun 16, 2004 4:28 pm

Hi!

I use the Maildir system on my server. So every user has the following directory: ~/Maildir

I want to give my imapd access to these Maildirs (i think it is not good to give it rwcd permissions on /home :) )

I use the following Objects:

/home
/home/*/Maildir rwcd

but when i run it i get the following error:
denied open of /home/florian/Maildir/.Drafts/courierimapacl for reading by /usr/bin/imapd[imapd:30068] uid/euid:1010/1010 gid/egid:8/8, parent /usr/sbin/couriertcpd[couriertcpd:28952] uid/euid:0/0 gid/egid:0/0

can anyone help me?
FloFri
 
Posts: 5
Joined: Wed Jun 16, 2004 4:46 am

Postby spender » Wed Jun 16, 2004 7:36 pm

Add the following rule:

/home/*/Maildir/* rwcd

The reason is that when using the wildcard expressions, creating an expression that matches a directory will only match that directory, and will not apply to files or directories within it. The above expression will apply to those files and directories.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby FloFri » Wed Jun 16, 2004 8:11 pm

thx

One last question: are there other wildcards than * and ? in grsecurity?

Because, with this configuration, there could be a posibility to write files on positions, where it should not.

(for example if there is a directory /home/florian/foo/foo/Maildir it has rwcd rights there)
FloFri
 
Posts: 5
Joined: Wed Jun 16, 2004 4:46 am

Postby spender » Thu Jun 17, 2004 2:46 am

I will be adding [a-zA-Z0-9] type support shortly. * and ? are the only characters supported currently.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby rocky » Thu Jun 17, 2004 8:27 am

i know what the * wildcard does, but what does the ? wildcard do?

-Rocky
rocky
 
Posts: 19
Joined: Tue Dec 09, 2003 4:54 am

Postby FloFri » Thu Jun 17, 2004 11:29 am

* are multiple characters ? is only one

so fore example:

/???/ will match /abc/ but not /ab/ and not /abcd/

/*/ will match all of them
FloFri
 
Posts: 5
Joined: Wed Jun 16, 2004 4:46 am

Postby rocky » Thu Jun 17, 2004 4:36 pm

sexy thanks
rocky
 
Posts: 19
Joined: Tue Dec 09, 2003 4:54 am


Return to RBAC policy development

cron