[grsec] denied rename with rwcd set?
Marc Schiffbauer
marc at schiffbauer.net
Thu Dec 16 19:10:24 EST 2004
* Brad Spengler schrieb am 17.12.04 um 00:37 Uhr:
> > is there a special needed permission bit to be allowed to rename
> > something?
>
> No, however in this case, the binary is trying to replace itself,
> which is a special (and rare) case. gradm automatically adds
> an object for the binary of a subject if an object does not
> exist for it (to ensure that the binary can't be overwritten by
> the application itself). To override this, like in this case,
> you need to add /usr/lib/AntiVir/antivir rwcd to the object list.
>
> -Brad
Thank you Brad for the explanation.
BTW: How does gradm behave if the subject is a directory?
Is it right that any binary in that dir will be assigned to that
subject even it is created in the dir after ACL loading time?
-Marc
--
**********************************************************************
* Unix is like a wigwam: no gates, no windows, only apache inside *
**********************************************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20041217/2ddf4a93/attachment.pgp
More information about the grsecurity
mailing list