grsecurity forums

I've tried several different things to allow perl programs to execute without having to define each and every perl program. I'm open to suggestions.

On my test box I have

/home/httpd/libexec/libhttpd.ep lAX {
/home/httpd/libexec/libhttpd.ep x
/
/var/lib/mysql/mysql.sock rxw
/home/httpd/bin/httpd x
/bin/bash x
/dev/null rw
/home/httpd/htdocs/* rxw
/home/httpd/cgi-bin/* rwx
/home/httpd/cgi-bin/*/* rwx
/home/httpd/logs/httpd.pid w
/home/httpd/logs a
/usr/lib rx
/lib rx
/tmp rxw
/etc/ld.so.cache r
/etc/grsec h
/etc r
/etc r
/usr/share r
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
RES_CRASH 1 60000

connect {
0.0.0.0/0:53 dgram ip udp
}

bind {
0.0.0.0/0:80 stream ip tcp
}

}
for apache (its compiled DSO core)
yet cgi programs in /home/httpd/cgi-bin/sm/admin.cgi isn't permitted to create (write) in this directory because its not defined in the acl.

is there any way to pass the acl of a parent to all its children? I couldn't find a way in the manual but that doesn't mean its not there.

Use the inheritance flag, "i", on the objects you want to inherit the ACL. BTW, when you mean all files in a directory, you really should just use the directory name, and not directory_name/*. When you do the latter, it adds an ACL for each file in the directory, which wastes memory. It's more efficient to just use the directory name.

-Brad

Thanks tons, will give that a shot. For some reason when I read the documents I pictured i as inheriting previously defined items but after a closer look an acl automatically picks up definitions unless you use O.

I'm really new to the grsec as yesterday was my first day but I must say I love it already. As a security "enthusiast" in linux I find the abilities of grsec extremely nice.