[grsec] denied rename with rwcd set?

Marc Schiffbauer marc at schiffbauer.net
Thu Dec 16 19:10:24 EST 2004

* Brad Spengler schrieb am 17.12.04 um 00:37 Uhr:
> > is there a special needed permission bit to be allowed to rename
> > something?
> No, however in this case, the binary is trying to replace itself,
> which is a special (and rare) case.  gradm automatically adds
> an object for the binary of a subject if an object does not
> exist for it (to ensure that the binary can't be overwritten by
> the application itself).  To override this, like in this case,
> you need to add /usr/lib/AntiVir/antivir rwcd to the object list.
> -Brad

Thank you Brad for the explanation.

BTW: How does gradm behave if the subject is a directory?
Is it right that any binary in that dir will be assigned to that 
subject even it is created in the dir after ACL loading time?

*   Unix is like a wigwam: no gates, no windows, only apache inside  *
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20041217/2ddf4a93/attachment.pgp

More information about the grsecurity mailing list