grsecurity forums

[sitepush]

Hi,

I want to achieve the following:

If users are added, a script should do the following tasks:
- automatically append new role to policy
- reload policy

How can this be done _without_ piping or typing passwords to grsec?

Of course, it can be done like this:

- add a role "reloader" with access to /etc/grsec/* and /dev/grsec without auth
- run echo "password" | gradm -R

But this is NOT good, cause the password might be visible to other processes.

Or is it guaranteed, that _nobody_ will be able to see this commandline from anywhere (if /proc restrictions are set to only viewing own processes with for example "ps aux")?

If this was the case, the bash-skript which appends new roles and reloads the policy could be hidden, too, to prevent others from watching it.


Sorry, my English isnt that great. Hope, you got the point.

Thx in advance!