grsecurity forums

by **asok** » Thu Sep 12, 2002 1:53 pm

I am very new to grsecurity, so sorry if this is a stupid question.

Is there any way to create an ACL that says that a certain subject (let's say /bin/touch) can write to a certain object (let's say /var/tmp/timestamp) only if the subject's parent is a certain other subject (let's say /usr/bin/cleverscript)?

If I understand correctly, something like
/usr/bin/cleverscript {
....
/bin/touch rxi
/var/tmp/timestamp w
....
}
is not the correct solution for me, because in this case /bin/touch may inherit several other ACLs (e.g. /usr/bin/cleverscript might have CAP_SYS_RAWIO :wink:

, which I might not wish /bin/touch to inherit).

Anyway, I am starting to really enjoy grsecurity, inheritance and the learning mode are great. RBAC would be nice however...

Thanks in advance,
Akos

by **spender** » Thu Sep 12, 2002 10:43 pm

That exactly the situation I'm going to solve with the rewrite of the ACL system, which will support roles and nested ACLs.

-Brad

by **meyerm** » Tue Sep 24, 2002 7:10 am

Ah. OK, that means for now I cannot create different ACLs for a bash started local and for a bash started by sshd, right?

And if I understood you right, this will be possible in the future.

Do you already know, when this will be approximately?

Thanks

by **spender** » Tue Sep 24, 2002 10:38 am

Correct. I'm guessing this will take about a month or so. I'm completely rewriting all of grsecurity by myself, so you have to give me some time

-Brad

by **meyerm** » Tue Sep 24, 2002 10:53 am

One month? Hmm, ok. *setMyStopwatch*

grsecurity forums

Newbie ACL parent question

Newbie ACL parent question