generated ACL has logrotate subject in /tmp

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

generated ACL has logrotate subject in /tmp

Postby halotron » Sun Jun 20, 2004 4:49 am

When i finished autogenerating a systemwide ACL with gradm 2.0 (kernel 2.6.5, debian sid) i noticed a few strange subjects about logrotate executing in /tmp with a random name.

Obviously the next time logrotate runs, it will use a different name, and so not fit in the subject.
Any suggestions on how to solve this?
I dont want to give root default execute privileges on /tmp.

---
subject /tmp/logrotate.0FayYs o {
/ h
/bin h
/bin/bash x
/bin/chmod x
/bin/chown x
/bin/ls x
/etc h
/etc/ld.so.cache r
/etc/ld.so.preload r
/etc/mtab r
/lib h
/lib/tls h
/lib/tls/libc-2.3.2.so rx
/lib/tls/libdl-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libncurses.so.5.4 rx
/lib/libsafe.so.2.0.16 rx
/proc
/proc/meminfo r
/tmp h
/tmp/logrotat r
/usr h
/usr/bin/mysqladmin x
/var h
/var/log
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}

subject /tmp/logrotate.OwMCui o {
/ h
/bin h
/bin/bash x
/bin/chmod x
/bin/chown x
/bin/ls x
/etc h
/etc/ld.so.cache r
/etc/ld.so.preload r
/etc/mtab r
/lib h
/lib/tls h
/lib/tls/libc-2.3.2.so rx
/lib/tls/libdl-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libncurses.so.5.4 rx
/lib/libsafe.so.2.0.16 rx
/proc h
/proc/22280
/proc/meminfo r
/tmp h
/tmp/logrotate.OwMCui r
/usr h
/usr/bin/mysqladmin x
/var h
/var/log
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}

subject /tmp/logrotate.VJeUxh o {
/ h
/bin h
/bin/bash x
/bin/chmod x
/bin/chown x
/bin/ls x
/etc h
/etc/ld.so.cache r
/etc/ld.so.preload r
/etc/mtab r
/lib h
/lib/tls h
/lib/tls/libc-2.3.2.so rx
/lib/tls/libdl-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libncurses.so.5.4 rx
/lib/libsafe.so.2.0.16 rx
/proc h
/proc/8650
/proc/meminfo r
/tmp h
/tmp/logrotate.VJeUxh r
/usr h
/usr/bin/mysqladmin x
/var h
/var/log
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}

and so on...
halotron
 
Posts: 5
Joined: Sun Jun 20, 2004 4:32 am

Re: generated ACL has logrotate subject in /tmp

Postby Hue-Bond » Mon Dec 13, 2004 5:59 pm

>subject /tmp/logrotate.0FayYs o {
>subject /tmp/logrotate.OwMCui o {
>subject /tmp/logrotate.VJeUxh o {

My personal far-from-perfect solution was to patch logrotate so it always uses "logrotate.XXXXXX" as the name of the temp file. Then changed its TMP environment variable so it doesn't create that file at /tmp, but other location.
Hue-Bond
 
Posts: 34
Joined: Mon Dec 13, 2004 4:31 pm


Return to RBAC policy development

cron