[grsec] Another ACL question

[John Logsdon]

Having exercised a number of programs under a regular user while in full
learning, I see that some of these appear as subjects under the role
'root' rather than under the regular user role.

The commands I found are:

/bin/cat
/bin/chmod
/bin/grep
/bin/ls
/bin/mv
/bin/rm
/bin/touch
/usr/bin/diff

There were a lot more commands exercised and there are other subjects in
root.

Is this because these programs suid to root in order to execute?  In which
case I presumably need to leave them in root. I notice that in the
standard ACLs that come with the package, they are not specified under
role 'root'.

If I want a minimal root that is essentially like an ordinary user with a
role_transition to admin, can I remove them from root or will that disable
them completely for all users?  Or should they be moved to the default
role - although there is only a housekeeping difference as far as I can
see as they will still execute as root but under a default role.

I know I can try this but what is the 'approved' practice?

TIA

John

John Logsdon                               "Try to make things as simple
Quantex Research Ltd, Manchester UK         as possible but not simpler"
j.logsdon at quantex-research.com              a.einstein at relativity.org
+44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com