[grsec] User domains and objects

[John Logsdon]

An ACL question:

What is the safest way to handle user-specific access for a user that is a
member of a domain?

For example, if we have user X, we can specify:

role X u
subject /  {
	/				r
	/var				h
	/var/spool/mail/X		

...
	/home				rwc
	/home/X				rwtcd
etc

But if X is a member of domain Y, the only way I can see to do this is to
use a wildcard * so that:

domain Y u X
subject /  {
	/				r
	/var				h
	/var/spool/mail/*

...
	/home				rwc
	/home/*				rwtcd
etc

but this means that in principle user Y can access or see all mail and
home directories in this example.

Is there a token or something that can be used?  In a sense the logical
token would be to use the domain name Y or $Y or something but I am not
aware of this syntax in gradm.

Obviously the usual Linux permissions should apply but these are one rwx
and not therefore as finegrained as grsec.

TIA

John

John Logsdon                               "Try to make things as simple
Quantex Research Ltd, Manchester UK         as possible but not simpler"
j.logsdon at quantex-research.com              a.einstein at relativity.org
+44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com