grsecurity forums

Hi.

I read the post about " chroot'ing " with ACL's and been trying to think of a way by which this "chroot" can be made to restrict access to different directories based on system User / Group .

Is there a way to do this? The only thing I came up with would be a UID/GID based ACL. Is there such a thing in GRSec? Will there be?

Thanks for your hard work.
It's been of great help to me.

Joel A. Chornik[/b]

What you can do is basically ADD the GID you want them to be chrooted to the customized Chrooted Bash.
Im my example befor for instance I have CREATED a bash called bash-3
so what you can do is edit /etc/passwd and change the users shell you want to restrict to bash-3 instead of their original shell.

sharky, thanks for your reply.
although generating the need for about 500 hardlinks, this will suffice for granting restricted ssh access to my users.

now suppose I want similar restricitions applied to apache's suexec, but the ACL should be different based on which is the calling user. (depending on the user, access to one homedir or another should be granted, everything else denied)

is there a way to do this with current grsec ACLs?

once again thanks a lot for your help.

Hi again
First of all you will have to create an acl for apache in learning mode.
What you should do basically is create the following ACL
/path/to/your/httpd lo {

/ h

-CAP_ALL

RES_FSIZE 0 0

RES_DATA 0 100

RES_RSS 0 0

RES_NOFILE 0 0

RES_MEMLOCK 0 0

RES_STACK 0 0

RES_AS 0 0

RES_NPROC 0 0

RES_LOCKS 0 0

connect {
disabled

}

bind {

disabled

}

}

let it run for a couple of days, maybe weeks depending on how often your system HTML are being ACCESSED.
After that you will have to have a look at the generated ACL.
use gradm -L -O learn
go to your learn file and check what RESTRICTIONS were applied, Check which directories needs to be accessed and which wont.
BASED on that you can customize it as you want.
here's my GENERATED ACL for my httpd

disabled

}

bind {

disabled

}

}
connect {
disabled
}

bind {
disabled
}

}
based on your users you can tell which directories needs to be accessed etc.
Regards.

forget the one pasted, I PASTED something wrong heh.

yes, I understand what you meant.
But suppose the following:

Apache is configured with name based virtualhosts, and suExec, each virtualhost with its own user/group.

I want different virtualhosts (or differen user/groups for the matter) to have different ACL's. Very similar ACL's, but different.

can this be done?
thanks again for your time.

Joel.

I don't think that's possible in the current model. It will be very easy to do in the new ACL system that will support roles. You'll have to wait a couple of months for that though.

-Brad

Hi joel
Spender is the coder, he knows better than all of us here, he gave u a direct and straight forward to the point answer

spender and sharky.

thanks both for your replies.
I am eager to see this roles thing going.

I've been using Linux Trustees but i don't like it very much and it does not co-exists peacefully wuth grsec.

thanks again.
Joel.

Sounds like you could use Linux Trustees (http://trustees.sourceforge.net). I use it with grseurity, in the WOLK (http://wolk.sourceforge.net) kernel. Grsec gets ACLS for the programs, Trustees lets you do ACLs for people/groups.

A nice combo.