Grsecurity denies unlink while delete is allowed

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Grsecurity denies unlink while delete is allowed

Postby Xerxes83 » Tue Jul 26, 2005 6:34 am

This message is logged while I think I have given the process enough rights to delete the file (rm inherits the rights of the darbackup script):
Jul 26 03:11:45 megumi grsec: (root:U:/etc/cron.daily/darbackup) denied unlink of /mnt/data/backup/megumi-260705-0310.1.dar by /bin/rm[rm:28934] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/darbackup[darbackup:11472] uid/euid:0/0 gid/egid:0/0

The policy:
Code: Select all
subject /etc/cron.daily/darbackup o {
user_transition_allow root
group_transition_allow root

        /
        /bin                            xi
        /dev
        /dev/null                       rw
        /dev/tty                        rw
        /dev/urandom                    r
        /etc                            h
        /etc/grsec                      h
        /etc/cron.daily/darbackup       rx
        /etc/group                      r
        /etc/ld.so.cache                r
        /etc/mtab                       r
        /etc/mutt                       r
        /etc/nsswitch.conf              r
        /etc/passwd                     r
        /etc/resolv.conf                r
        /lib                            rx
        /proc
        /proc/meminfo                   r
        /proc/sys/kernel
        /proc/sys/kernel/version        r
        /proc/kcore                     h
        /proc/bus                       h
        /root
        /tmp                            rwcd
        /usr                            h
        /usr/bin                        h
        /usr/bin/awk                    xi
        /usr/bin/dar                    x
        /usr/bin/md5sum                 xi
        /usr/bin/mutt                   xi
        /usr/bin/tail                   xi
        /usr/lib                        h
        /usr/lib/gconv                  rx
        /usr/lib/libgdbm.so.*           rx
        /usr/sbin                       h
        /usr/sbin/sendmail              x
        /usr/share
        /usr/share/zoneinfo/Europe      r
        /var                            h
        /var/run

        # Backup storage location
        /mnt/data/backup                rd

        $dev_hides | $dir_hides

        -CAP_ALL
        bind    disabled
        connect disabled
}

I am running kernel 2.4.31 with Grsecurity v2.1.6.
Xerxes83
 
Posts: 8
Joined: Fri Jun 17, 2005 2:03 pm

Postby Xerxes83 » Tue Aug 02, 2005 12:22 pm

No one knows? Or is preventing an unlink just to prevent a program from recreating a file as a different user? But then the ACL system should kick in...
Xerxes83
 
Posts: 8
Joined: Fri Jun 17, 2005 2:03 pm

Postby spender » Tue Aug 02, 2005 6:56 pm

To delete a file, you need both "w" and "d" access to it.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support