Hi: my startx doesn't work with acls. This is my acl
/ {
/ r
/opt rx
/home rwx
/mnt rw
/dev rw
/dev/mem h
/dev/kmem h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/proc rwx
/proc/sys r
/root r
/tmp rw
/var rwx
/var/tmp rw
/var/log ra
/boot r
/etc/grsec h
/var/log/wtmp rw
/var/log/faillog rw
/var/log/lastlog rw
/sbin/reboot h
/sbin/shutdown h
-CAP_LINUX_IMMUTABLE
-CAP_MKNOD
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
}
/usr/X11R6/bin/startx {
/ rwxoi
}
when i run startx i get :
grsec: attempt to open /var/log/XFree86.0.log for writing by (X:401) UID(1000) EUID(0), parent (xinit:400) UID(1000) EUID(1000)
Fatal server error:
Cannot open log file "/var/log/XFree86.0.log"
When reporting a problem related to a server crash, please send
the full server output, not just the last messages.
Please report problems to xfree86@xfree86.org.
giving up.
xinit: No such file or directory (errno 2): unable to connect to X server
xinit: No such process (errno 3): Server error.
I tried changing startx to :
/usr/X11R6/bin/startx {
/usr/X11R6/bin/xinit rxi
/var/log/XFree86.0.log rwxoi
}
still the same thing.
How do I change the acl so that everything that startx runs has access to
everything on / ?. Because I think that xinit runs a bunch of other programs and those programs might run other programs. I want to make everything after startx have access to everything on the root directory.
acl and startx
6 posts
• Page 1 of 1
acl and startx
by pasholy » Sat Nov 02, 2002 9:22 pm
- pasholy
- Posts: 4
- Joined: Sat Nov 02, 2002 9:12 pm
by spender » Sun Nov 03, 2002 12:47 am
you're putting the inherit mode on a log, not something that can be executed. I would recommend not putting an ACL on startx as it's only a script. You should put the ACL on the /usr/X11R6/bin/XFree86 binary.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
startx and xinit
by pasholy » Sun Nov 03, 2002 9:22 pm
I tried putting in two rules instead of the startx
/usr/X11R6/bin/XFree86 {
/ rwxoi
}
and that gives me the same error as above.
/usr/X11R6/bin/XFree86 {
/var/log/XFree86.0.log rwxoi
}
and that gives me a new error.
(==) Log file: "/var/log/XFree86.0.log", Time: Mon Nov 4 18:13:19 2002
(==) Using config file: "/etc/X11/XF86Config"
grsec: attempt to access hidden file [16:01:610] by (X:22959) UID(1000) EUID(0), parent (xinit:22958) UID(1000) EUID(1000)
Fatal server error:
xf86EnableIOPorts: Failed to set IOPL for I/O
When reporting a problem related to a server crash, please send
the full server output, not just the last messages.
This can be found in the log file "/var/log/XFree86.0.log".
Please report problems to xfree86@xfree86.org.
XIO: fatal IO error 104 (Connection reset by peer) on X server ":1.0"
after 0 requests (0 known processed) with 0 events remaining.
isn't there a way for everything ran by XFree86 to inherit everything in the root directory, so that I don't have to specify rules for all of the subproceses?
thanks.
/usr/X11R6/bin/XFree86 {
/ rwxoi
}
and that gives me the same error as above.
/usr/X11R6/bin/XFree86 {
/var/log/XFree86.0.log rwxoi
}
and that gives me a new error.
(==) Log file: "/var/log/XFree86.0.log", Time: Mon Nov 4 18:13:19 2002
(==) Using config file: "/etc/X11/XF86Config"
grsec: attempt to access hidden file [16:01:610] by (X:22959) UID(1000) EUID(0), parent (xinit:22958) UID(1000) EUID(1000)
Fatal server error:
xf86EnableIOPorts: Failed to set IOPL for I/O
When reporting a problem related to a server crash, please send
the full server output, not just the last messages.
This can be found in the log file "/var/log/XFree86.0.log".
Please report problems to xfree86@xfree86.org.
XIO: fatal IO error 104 (Connection reset by peer) on X server ":1.0"
after 0 requests (0 known processed) with 0 events remaining.
isn't there a way for everything ran by XFree86 to inherit everything in the root directory, so that I don't have to specify rules for all of the subproceses?
thanks.
- pasholy
- Posts: 4
- Joined: Sat Nov 02, 2002 9:12 pm
by spender » Sun Nov 03, 2002 9:24 pm
you don't have o in the subject mode, so it's inheriting ACLs. A gradm -T would have confirmed this. Try this for your ACL:
/usr/X11R6/bin/XFree86 {
/var/log/XFree86.0.log rw
/var/log/XFree86.1.log rw
/dev/mem rwo
+CAP_CHOWN
+CAP_SETUID
+CAP_SETGID
+CAP_DAC_OVERRIDE
+CAP_SYS_RAWIO
+CAP_SYS_MODULE
+CAP_SYS_NICE
}
/usr/X11R6/bin/XFree86 {
/var/log/XFree86.0.log rw
/var/log/XFree86.1.log rw
/dev/mem rwo
+CAP_CHOWN
+CAP_SETUID
+CAP_SETGID
+CAP_DAC_OVERRIDE
+CAP_SYS_RAWIO
+CAP_SYS_MODULE
+CAP_SYS_NICE
}
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
by pasholy » Sun Nov 03, 2002 10:04 pm
/usr/X11R6/bin/XFree86 {
/var/log/XFree86.0.log rw
/var/log/XFree86.1.log rw
/dev/mem rwo
+CAP_SYS_RAWIO
}
Did the trick. I'm still
a little confused as to how +CAP_SYS_RAWIO did that.
Thanks a lot for the help Spender.
/var/log/XFree86.0.log rw
/var/log/XFree86.1.log rw
/dev/mem rwo
+CAP_SYS_RAWIO
}
Did the trick. I'm still
a little confused as to how +CAP_SYS_RAWIO did that.
Thanks a lot for the help Spender.
- pasholy
- Posts: 4
- Joined: Sat Nov 02, 2002 9:12 pm
6 posts
• Page 1 of 1