Page 1 of 1

grsec does not allow gradm -R by default

PostPosted: Sat Jul 31, 2004 1:40 am
by in-grsecurity@baka.org
With a fairly (very) permissive configuration, gradm -R does not work. I am allowed to gradm -D and gradm -E. I'm not too enthused to try out different options because of the risk of locking myself out. Knowing the proper magic to insert would be great!

-------------------------
not seth> ./gradm -R
Password:
Error changing directory to /etc/grsec
Error: No such file or directory
-------------------------

No syslog messages are produced. This is running in the default role.

This is using the 2.6.7 patch specified in a recent forum post, and a slightly modified cvs-tip gradm2 (modified to allow the analysis to be suggestions, not requirements).

The relevant configuration is:

role super sA {
subject / r {
/ rwcdmxi
+CAP_ALL
+CAP_SYS_RAWIO
}
}

role admin sA {
subject / r {
/ rwcdmx
+CAP_ALL
+CAP_SYS_RAWIO
}
}

role default G {
role_transitions admin super
subject / r {
/ rwcdmx
+CAP_ALL
+CAP_SYS_RAWIO
}

[.....]
}

PostPosted: Sat Jul 31, 2004 1:34 pm
by in-grsecurity@baka.org
OK, reading the man page (yes, yes) I discovered that you have to be in admin mode to use gradm -R. However, I believe that restriction is just silly--given you can disable the system using the same password--so I still want to know the rule to insert to allow -R to work.

PostPosted: Tue Aug 03, 2004 1:39 am
by spender
The reason is that gradm -R needs access to the configuration files so that it can reload them and re-parse them. You shouldn't be able to modify your configuration unless you are in the admin role anyway (and if you are, you have an extremely poor policy configured, despite the attempts of gradm to get you to use a secure policy).

-Brad

PostPosted: Wed Aug 04, 2004 10:26 am
by in-grsecurity@baka.org
spender wrote:The reason is that gradm -R needs access to the configuration files so that it can reload them and re-parse them. You shouldn't be able to modify your configuration unless you are in the admin role anyway (and if you are, you have an extremely poor policy configured, despite the attempts of gradm to get you to use a secure policy).

-Brad


I understand that. My point is that having gradm -R require two levels of authentication while gradm -D only requires one does not make sense. gradm -D is the more dangerous command since gradm -R will only affect the security policy if someone has the necessary rights to modify the policy file, and as you point out if they can do that, you have more serious problems.