[grsec] effective dual roles / suggested enhancements

jnf jnf at nosec.net
Tue Jan 11 14:17:15 EST 2005


Hi,

What I am trying to accomplish may be possible, but I am not sure. Is
there a way to have a user match both a user role and a group role? For
instance I have a bastion host with many users that need to access the box
in order to hop through it, the programs and files they need access too
are constant minus their home directories, in which they need read/write
access to certain files within it (.profile / append to .bash_history,
.ssh/known_hosts / etc ), In trying to get them to match against dual
roles this seemed impossible to the best of my knowledge. At the moment I
have a role for each user which results in a 12,000+ line policy, which
takes about 1 minute 43 seconds to load upon issuing a gradm -E.

Writing the policy was a bit of a pain in the ass also, it would be so
nice if macro's were supported- it would be nice to be able to define
macro's but also have special variable along the lines of $user or similar
so I could define one group and then do something similar to:

/home/$user/.bash_history      rac

In addition to that, perhaps I am doing it wrong, but it seems the
auditing modes are broken at least in 2.0.1 (I think that was the release
version prior to 2.1.0). Am I correct in this statement? If I am
understanding it correctly I should be able to do something like:

/home/user       RWCDX

and have all read/writes/creates/deletes/executions logged, however when I
do this it seems to drop the permissions.

Also, I understand that eventually, you Brad, intend to expand the regexp
support to support character ranges, is there any probable timeline there?
i.e. /proc/[a-zA-Z]*     r would be great.

I plan on testing out the new 2.1.0 RBAC system here shortly, and I
understand the capability inheritance (inheritance in general) has been
improved, so I hope that will fix the issues I have been having making
syslog-ng run as a non-root user (it doesnt appear to be getting
CAP_SYS_ADMIN).

Overall the RBAC system is a great system, however it would be great if
dual roles or (better) grouping/macro's were supported, it would make my
life so much easier.

Thanks alot,

jnf

--

There are only two choices in life. You either conform the truth to your desire,
or you conform your desire to the truth. Which choice are you making?


More information about the grsecurity mailing list