grsecurity forums

[superbock]

Hello again

Objective: configure ACL's to prevent user with shell access to execute files in cgi-bin but allow them to be executed by suexec

User has a role. Inside the role, his home_dir is rw in the default subject.
Then, there is subject /usr/sbin/suexec, like this:

subject /usr/sbin/suexec {
/home/user/cgi-bin rx
/var/log/httpd/suexec_log a
}

All this is in a file that is included by "acl"

Then i reload the ACL's, and i get this:

Duplicate ACL entry found for "/usr/sbin/psa-suexec" on line 1 of /etc/grsec/acl.
"/usr/sbin/psa-suexec" references the same object as the following object(s):
/usr/sbin/suexec
specified on an earlier line.The ACL system will not load until this error is fixed.

suexec is a hardlink of psa-suexec. But i don't define any subject for any of them in the default acl. Also, the ACL's in roles aren't completely independent from the default ACL/role ?

Need some light here. Thanks again in advance.

[spender]

Can you mail your ACLs to spender@grsecurity.net? It would help to see them in context.

-Brad

[superbock]

Done!!

Tks!

[spender]

I haven't been able to duplicate the problem here. Could you grab current CVS of gradm2? I added some additional verbosity for that error that may help resolve the problem.

-Brad

[superbock]

Here it is:

Duplicate object found for "/usr/sbin/psa-suexec" in role some_user, subject /usr/sbin/suexec, on line 1 of /etc/grsec/acl.
"/usr/sbin/psa-suexec" references the same object as the following object(s):
/usr/sbin/suexec
specified on an earlier line.The RBAC system will not load until this error is fixed.

I'm pretty much in the dark as before. And I really don't understand why it complains about "line 1".

[spender]

Ok, I believe the problem is related to configuration inheritance. To verify, change all occurences of GR_FEXIST in gradm_opt.c to GR_FLEARN.

-Brad

[superbock]

got latest CVS and did the change. gradm does not complain now and the acl seems to be working properly.