ACL problem with 2.0pre3

Submit your RBAC policies or suggest policy improvements

ACL problem with 2.0pre3

Postby superbock » Wed Apr 23, 2003 12:43 pm

Hi!

I'm experimenting with roles, trying to create a restrictive environment for a regular user:

Here's the ACL i'm using for the moment:

role myuser u
role_transitions admin
subject / {

/

/dev
/dev/tty rw
/dev/pts rw
/dev/null rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/proc rwx
/proc/kcore h
/proc/sys r
/var/run/utmp rw

/etc r
/etc/profile.d rx
/etc/grsec h

/home
/home/myuser rwx

/bin rx

/lib rx
/lib/modules h

/tmp rw

/usr
/usr/bin rx
/usr/include r
/usr/lib rx
/usr/libexec rx
/usr/man r
/usr/share r

/sbin/consoletype x
/var/spool/mail/myuser rw

/home/* h
/usr/* h
/* h

-CAP_ALL
}

This works fine in general, except in /

$ ls
bin boot dev etc home lib proc tmp usr var

$ ls -l
ls: boot: No such file or directory
ls: var: No such file or directory
[...]

I use the same logic with / that i used in /home, so that the user can only list his homedir, but i don't get this kind of errors there.
What might i be missing?

Thanks in advance.
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm

Postby spender » Wed Apr 23, 2003 2:00 pm

/boot and /var must be partitions on your system. The partitions themselves can't be made hidden, since for each mountpoint, there exists two sets of inode/device numbers, both referencing the same file. Another problem is that from userspace, we can't really tell one of these sets of numbers. It's only used when traversing down the filesystem path. So, there's two ways to look at the file: as a file on the partition it's mounted on, or as "/" on the partition itself. We can't really solve this, since some of the logic requires there being a 1-to-1 function from filenames to inodes (but the reverse is not true of course, because of hardlinks).

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby superbock » Wed Apr 23, 2003 2:33 pm

Thanks for the reply Brad.

My workaround:

/var
/var/* h
/boot
/boot/* h

Can't hide the mount point, but can hide everything inside. So be it.
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm


Return to RBAC policy development