Hi!
Scenario:
let's say httpd launches a process called /xpto/bin/usermng, which is a symlink to /xpto/sbin/wrapper. wrapper is a suid program, that then calls the real /xpto/sbin/usermng. usermng needs to write in /etc (for shadow/passwd and temp files).
I have these two entries in my default acl:
subject /xpto/sbin/* {
/etc rw
}
subject /xpto/bin/* {
/etc rw
}
I use the wildcard because some other programs need that access too.
Yet, i get this on the logs:
denied open of /etc/shadow.xpto_lock for reading writing by (usermng:17467) uid/euid:0/0 gid/egid:0/0, parent (httpd:6677)
What can i be missing? Btw, wouldn't be a good idea that the process shows up on the logs with it's full path?
I'm using 2.0pre4
Thanks in advance
Problem
3 posts
• Page 1 of 1
by spender » Wed May 14, 2003 8:09 am
globbing isn't supported by subjects. What you really wanted was:
subject /xpto/bin {
/etc rw
}
subject /xpto/sbin {
/etc rx
}
Be careful with your use of globbing. It adds an ACL for each file that matches. If you mean every file in a directory, it is better to use the directory name for the ACL.
-Brad
subject /xpto/bin {
/etc rw
}
subject /xpto/sbin {
/etc rx
}
Be careful with your use of globbing. It adds an ACL for each file that matches. If you mean every file in a directory, it is better to use the directory name for the ACL.
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
3 posts
• Page 1 of 1