grsecurity forums


http://forums.grsecurity.net./

Inheritance in grsecurity2

http://forums.grsecurity.net./viewtopic.php?f=5&t=501

Page 1 of 1

Inheritance in grsecurity2

PostPosted: Sun Jul 27, 2003 1:04 pm
by RaYmAn
Hi
After getting learning acl's to work properly with grsecurity2, I finally managed to have a learnt acl that seems fairly decent.
however, i'm a bit confused about some things...
I, of course, have a default acl that allows some amount of things.
Then I have a users acl that allows a bit more.
However, I'm a bit confused about how that works...my user is in users, if I (with a program not explicitly allowed or denied) try to access some files not explicitly allowed by the / subject acl of role users but explicitly allowed by the default acl, will I get access to them then or not?
So I guess the real question is: Is there role inheritance, or is the matching limited to only the first match?
I.e. if something doesn't match in user acl (i.e. neither allowed, nor denied, will group acl be tested, and will default acl then be tested?
It makes quite a big difference wrt. duplicate entries and such (And I'm not fond of trying enabling the acl without knowing...)
Regards,
Jens Andersen

PostPosted: Sun Jul 27, 2003 7:46 pm
by spender
Rule lookups will not fall back on group/default roles. The only time something similar to that will happen is when the role is applied to a user. If a user role for them exists, that will be applied, otherwise a group role if it exists, otherwise the default role. Inheritance (as it applies to configuration) is only done on a subject basis (falling back to subjects of parent paths, if they exist).

-Brad

PostPosted: Tue Jul 29, 2003 10:59 am
by RaYmAn
Hi
What if for example I have a group users, which my user has as 'primary' group..then I have a group trusted which grants access to a little bit more(such as gradm authentication). my user is a member of that group.
How will the matching happen then?
say I try to authenticate with gradm -a, will "users" acl be applied or will "trusted" acl be applied, and hence denied or granted access?
I'm guessing it will be "users" acl that apply..if so I have a feature request: Possibility to define sub-roles i.e. trusted role is a sub-role (group) of users, hence granting access to what 'users' give access to but also what trusted gives access to. (trusted takes preference over users since it's a sub-role)
Would that be possible?
Regards, Jens Andersen

PostPosted: Tue Jul 29, 2003 12:04 pm
by spender
What you should do in that case is use the special role capability, so they can gradm -a <special role> and gain the extra privilege.

-Brad
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/