grsecurity forums

root@soup:/etc/grsec# gradm -R
Password:
glob: No such file or directory

Might it be possible to track down this error so it doesnt do that any more, or add more verbose information on what generated the error? This is difficult to track down with a large acl

Also, does this mean that gradm is parsing out globbed masks when you launch it rather than it being a wildcard all the time grsec checks the acl against a process?

This is misleading/problematic if you wildcard /etc/mtab* however only /etc/mtab exists when you load it into gradm, however when grsec triggers against a process, you want it to cover /etc/mtab~ from your previous wildcard.


Thanks for any attention / info on this matter.

-TGK

It's not misleading. It's all there in the documentation, in bold in fact I believe.
I'll fix that error message in CVS though.

-Brad

Because the globbing character was used in the last path component, /dev/tty* expands to only the files that match the expression at the time the ACL system is enabled.

okay guilty as charged, even though I did RTFM before guess I'm just blind

As a feature request, would it be possible to add some sort of on the fly matching to grsec? My reasoning is that some stupid programs (mount/unmount) for example use temp random file names in /etc and I'd prefer not to rw the entire etc directory for mount/umount. Doing so could open up a vuln if they were overflowed they could write to other config files branching up there and lead to a partial compromise .

If there is a way to do it and I just didnt grasp it please let me know, and thanks for answering all the questions. I try to find this stuff out myself first but I do admit I'm still new to the acl system.

A better thing to do would be to fix ugly apps that do that sort of thing. Adding regex support into the core routines of the ACL system would kill the huge performance benefit we have compared to other systems, for something that is only useful for a few apps.

-Brad

Yes I figured the performance hit would be an issue =/. Rewriting things like mount/umount however does NOT appeal to me lol.

I guess a work around is to

acl {
/etc rw
/etc/passwd h
/etc/shadow h
/etc/etc... h
}

or, something i just thought of.....

/etc rw
/etc/* h

then it can create and read its temporary files, but can't modify anything else in /etc.

-Brad

damn, good one That will accomplish what i want nicely!

Little issue with implementing your idea:

/etc rw
/etc/* h
/etc/mtab rw
/etc/ld.so.cache r

Generates me:

root@soup:/etc/grsec# gradm -E
Duplicate ACL entry found for "/etc/mtab" on line 464 of /etc/grsec/acl.
The ACL system will not load until this error is fixed.

Obviously the duplicate entry is generated by the /etc/* h

Is there any other way to do what im asking of it besides adding an entry for everything in /etc?

If not, would it be possible to perhaps ask for a feature request that allows gradm to overwrite duplicate entries as it parses rather than bailing out? This is a dirty way to do it but I dont see any security/performance issues from it if the person knows what they are doing.

Thanks

Ok, I've just committed the code to CVS that will correct this. The only caveat to using it is you have to put the /etc/* line after any other /etc objects in the subject. The reason is, if the /etc/* is found first, the acl system will happily add acls for every file in /etc, then say it runs into another rule you have for /etc/mtab. This ACL will then be declared a duplicate. If you just follow this rule though, you'll be able to do what you want with passwd.

-Brad

I'll patch to most recent cvs and give things a shot tomorrow morning. Thanks for the changes and help, I'll let you know if I come up w/ any probs

-TGK