ACL-wilcards

Submit your RBAC policies or suggest policy improvements

ACL-wilcards

Postby meyerm » Tue Sep 24, 2002 2:33 pm

Hi,

is it possible to use wildcards inside of ACLs? I would like to give sshd on /home/*/.ssh/authorized_keys read access. And inserting it for every user is... well... not acceptable? :)

If it is not yet in grsecurity, will it be implemented in the future?

Thanks
meyerm
 
Posts: 15
Joined: Mon Sep 23, 2002 11:06 am

Postby spender » Wed Sep 25, 2002 7:33 pm

not in there, and won't be implemented in the future. If you want that, use systrace when it gets ported to Linux, and take with it its problems and significantly greater performance hit (see how much your loaded network server likes it ;) similar applications of the same idea as systrace have performance hits up to 70%...If I had the link to the research, I'd paste it.)

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Technion » Wed Sep 25, 2002 10:29 pm

I'd suggest writing your ACL set as a script if you want something like that.

I'm freestyling (so this example may contain bugs) but something like create a genACL.sh containing:

cat <<EOF
THE REST OF YOUR ACLs GO HERE

/usr/bin/ssh {
EOF
ls /home | awk '{print "/home/" $1 "/.ssh/authorized_keys"
echo }


Then every time you add/remove a user, run this script like

./genACL.sh > /etc/grsec/acl

Then of course, reload your ACL set.
Technion
 
Posts: 15
Joined: Thu Apr 25, 2002 12:23 am

Postby meyerm » Thu Sep 26, 2002 6:52 am

Thanks for your replies.

Concerning the script proposal: Hmm, that would be a solution (a more or less ugly hack solution, but it would be one ;)). I think, that's the way to go for me. Thank you.
meyerm
 
Posts: 15
Joined: Mon Sep 23, 2002 11:06 am


Return to RBAC policy development