[grsec] effective dual roles / suggested enhancements
jnf
jnf at nosec.net
Tue Jan 11 15:12:30 EST 2005
> If possible, use non-world-accessible home directories, then all
> policies in /home can be done with /home/*/.bash_history, etc in a group
> role, and any special users can be given their own user roles.
Ok, assuming I am understanding this correctly - I would do (in a group
role) like:
/home/*/.bash_history rac
Wouldn't that give everyone in the group read/append/create access to
everyone elses home directories? I think I am misunderstanding something
there.
> What you're probably looking for then is already implemented as domains.
> You can also use $HOME in your policy.
Yes, I started in using the domains, however the (assumed) lack of env
variables was the problem- I didn't see any good way of grouping them
together into domains with their home directory, however having $HOME
being supported changes the entire makeup of things and is _very_ much
appreciated. Are there any other keywords that are supported?
>
> You're doing it wrong. The auditing flags only enable auditing, they
> don't grant any permission. I suppose however I could change this
> behavior, as it wouldn't break anything.
So I would need like:
/path RWCDXrwcdx
to get my desired effect?
Hrm, I suppose it makes sense, it just never occured to me while sifting
through the documentation.
>
> I don't have a timeline for this, though it is on my TODO list.
Either way I am going to contact you offlist about such things, I
appreciate the hard work, I do a little kernel hacking myself and have
looked through various aspects of your patch and I appreciate the effort
put into it.
> -Brad
>
jnf
More information about the grsecurity
mailing list