[grsec] effective dual roles / suggested enhancements
John Logsdon
j.logsdon at quantex-research.com
Tue Jan 11 18:07:08 EST 2005
Brad and all
I see from gradm_parse.c that this is the only token at the moment but the
message on line 498 (v 2.1) indicates this is only for user roles.
Does this exclude domains or is that part of the code parsed by an
expanded domain list of users?
ie can we write:
domain spender u brad1 brad2
subject /bin/blah
...
$HOME/.bash_history ra
and have it expanded to /home/brad1 for user brad1 and /home/brad2 for
user brad2?
BTW Did you ever implement continuation lines for domains? A domain with
many users/groups is rather difficult to read in simple editors like vi or
pico and definately if the policy is printed out.
John
John Logsdon "Try to make things as simple
Quantex Research Ltd, Manchester UK as possible but not simpler"
j.logsdon at quantex-research.com a.einstein at relativity.org
+44(0)161 445 4951/G:+44(0)7717758675 www.quantex-research.com
On Tue, 11 Jan 2005, Brad Spengler wrote:
> > As for the $HOME thing, that would be an object set I defined?
>
> No, just use it within the object name:
>
> role spender u
> subject /bin/blah
> ...
> $HOME/.bash_history ra
>
> it automatically expands to the homedir of the user, in this case
> /home/spender.
>
> If there are other macros like these that would be useful, let me know
> what they are, and I will add them.
>
> -Brad
>
More information about the grsecurity
mailing list