sftp denied link

A place to submit your RBAC policies and generate ideas for better ones

Moderators: spender, PaX Team

sftp denied link

Postby ralphy » Wed Jun 13, 2007 2:45 pm

I have my ACL policy setup to a degree where it's functional but yet minimal in that it all works but users aren't allowed things they shouldn't be allowed to. However, as far as sftp goes, users can connect and upload files, but renaming in sftp is broken for me. sftp reports Permission denied when trying to rename a file in a user's home directory with grsec.log showing denied links from old.file to new.file. I'm at a loss as to what I have to do to fix this. Any suggestions?
ralphy
 
Posts: 52
Joined: Wed Jan 11, 2006 12:51 pm

Postby ralphy » Sun Jun 17, 2007 12:50 am

Silly me! Got it :) Keep up the good work guys!
ralphy
 
Posts: 52
Joined: Wed Jan 11, 2006 12:51 pm

Postby brant » Sat Aug 25, 2007 12:09 pm

As this forum is the main means of support for grsecurity, could you please provide an example of the solution? This will help others with the same problem. ;)
brant
 
Posts: 9
Joined: Fri Feb 03, 2006 2:35 am
Location: earth, sol

Postby ralphy » Wed Aug 29, 2007 6:45 pm

I think this is proper. Maybe spender or somebody could comment if it's wrong or if it's okay?

Code: Select all
subject /usr/lib/misc/sftp-server
        /etc/passwd             r
        /etc/group              r
        /dev/log                rw
        /home                   rx
        /home/*                 rwcdl
ralphy
 
Posts: 52
Joined: Wed Jan 11, 2006 12:51 pm

Postby spender » Thu Sep 20, 2007 6:00 pm

I'm not sure "x" is needed on /home, but it's harmless in this case.

-Brad
spender
 
Posts: 1881
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development