grsecurity forums

[Redragon]

I've tried several different things to allow perl programs to execute without having to define each and every perl program. I'm open to suggestions.

On my test box I have

/home/httpd/libexec/libhttpd.ep lAX {
/home/httpd/libexec/libhttpd.ep x
/
/var/lib/mysql/mysql.sock rxw
/home/httpd/bin/httpd x
/bin/bash x
/dev/null rw
/home/httpd/htdocs/* rxw
/home/httpd/cgi-bin/* rwx
/home/httpd/cgi-bin/*/* rwx
/home/httpd/logs/httpd.pid w
/home/httpd/logs a
/usr/lib rx
/lib rx
/tmp rxw
/etc/ld.so.cache r
/etc/grsec h
/etc r
/etc r
/usr/share r
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
RES_CRASH 1 60000

connect {
0.0.0.0/0:53 dgram ip udp
}

bind {
0.0.0.0/0:80 stream ip tcp
}

}
for apache (its compiled DSO core)
yet cgi programs in /home/httpd/cgi-bin/sm/admin.cgi isn't permitted to create (write) in this directory because its not defined in the acl.

is there any way to pass the acl of a parent to all its children? I couldn't find a way in the manual but that doesn't mean its not there.

[spender]

Use the inheritance flag, "i", on the objects you want to inherit the ACL. BTW, when you mean all files in a directory, you really should just use the directory name, and not directory_name/*. When you do the latter, it adds an ACL for each file in the directory, which wastes memory. It's more efficient to just use the directory name.

-Brad

[Redragon]

Thanks tons, will give that a shot. For some reason when I read the documents I pictured i as inheriting previously defined items but after a closer look an acl automatically picks up definitions unless you use O.

I'm really new to the grsec as yesterday was my first day but I must say I love it already. As a security "enthusiast" in linux I find the abilities of grsec extremely nice.