ACL: read perm -> hidden; no perm -> viewable
Posted: Wed Sep 25, 2002 5:42 amHi out there,
I'm still a small newbie when it comes to grsecurtiy, but I'm doing my best to learn.
I just created an ACL for my sshd. /home is a link to /var/home (there are reasons for this
), which is mounted rw, / is mounted ro. Inside the ACL I have
"/home "
"/home/lxadmin/.ssh/authorized_keys r"
"/ h"
(I don't yet know if wildcards like "/home/*/.ssh/authorized_keys" are possible/advisable)
When I now try to login, grsec always says, sshd tried to access the hidden(!) file 08:01:246 (=/home). But when I remove the "r" behind the key-file, it claims that sshd tried to access this file for reading (complete file name).
Even when I put
"/home rwx"
"/home/lxadmin/.ssh/authorized_keys rwx"
"/var rwx"
"/var/home rwx"
"/var/home/lxadmin/.ssh/authorized_keys rwx"
"/ h"
into the ACL, it doesn't change anything (still trying the hidden file inode 246=/home). The only possibility to login passwordless I've found so far is changing the "h" of "/" to "r" (setting it to <nothing> didn't work either).
Ahh, what stupid mistake have I done? I'm using 1.9.7 with gradm 1.5.
Thank you,
Marcel
PS: I sent this message also to the mailinglist. I'm quite confused which is the "official" way. Shall I send to the ml or prefer the forum?
I'm still a small newbie when it comes to grsecurtiy, but I'm doing my best to learn.
I just created an ACL for my sshd. /home is a link to /var/home (there are reasons for this
), which is mounted rw, / is mounted ro. Inside the ACL I have
"/home "
"/home/lxadmin/.ssh/authorized_keys r"
"/ h"
(I don't yet know if wildcards like "/home/*/.ssh/authorized_keys" are possible/advisable)
When I now try to login, grsec always says, sshd tried to access the hidden(!) file 08:01:246 (=/home). But when I remove the "r" behind the key-file, it claims that sshd tried to access this file for reading (complete file name).
Even when I put
"/home rwx"
"/home/lxadmin/.ssh/authorized_keys rwx"
"/var rwx"
"/var/home rwx"
"/var/home/lxadmin/.ssh/authorized_keys rwx"
"/ h"
into the ACL, it doesn't change anything (still trying the hidden file inode 246=/home). The only possibility to login passwordless I've found so far is changing the "h" of "/" to "r" (setting it to <nothing> didn't work either).
Ahh, what stupid mistake have I done? I'm using 1.9.7 with gradm 1.5.
Thank you,
Marcel
PS: I sent this message also to the mailinglist. I'm quite confused which is the "official" way.
Shall I send to the ml or prefer the forum?