[grsec] "denied attempt to chmod +s" in chroot: exceptions
possible?
Brad Spengler
spender at grsecurity.net
Tue Feb 22 09:20:10 EST 2005
On Tue, Feb 22, 2005 at 01:42:23PM +0100, Marc Schiffbauer wrote:
> Hi,
>
> I configured:
>
> [*] Chroot jail restrictions
> [*] Deny (f)chmod +s
>
> in the Kernel.
>
> Is there a way to allow an admin to do "chmod +s" in a chroot when
> he is authenticated to the RBAC system with a special ACL?
yes, that's what the "m" object flag is for. You should disable that
chroot restriction and just only use the "m" object in the special role
for the files you want to allow to be made suid/sgid.
-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20050222/3dce8c67/attachment.pgp
More information about the grsecurity
mailing list