[grsec] full learning sets O flag for every subject

Marc Schiffbauer marc at schiffbauer.net
Tue Mar 22 09:33:20 EST 2005


Hi Brad,

in the 2.1.3 Announcement you said:

> During the audit, a critical vulnerability was found in the RBAC
> system that effectively gave every subject the "O" flag, allowing 
> a root user for instance to gain the privileges of any other 
> process through LD_PRELOAD or ptrace.

Now if I do a full learning on a log I recorded the resulting policy
has the "O" flag set for any subject in any role.

The roles are users, system services like MTA, MDA, cron jobs etc...

Is that intended?

-Marc

-- 
-------------------------------------------
Take back the Net! http://www.anti-dmca.org
-------------------------------------------


More information about the grsecurity mailing list