grsecurity forums

hello,

is it possible to set up a rule in ACL (for example ftp server) to allow this subject only uploading and not modifying the files after the upload is finished(or aborted, does not matter)?
i've tried to add only "rc" flags to the object, but ended with "write permission denied' message. adding "w" flag will allow overwriting the file(though not deleting, but size 0 is worthless), so it is not good for this

Well.. there are two types of writes.. there is a write "w".. and there is an append write "a".. you can try this, but i don't think it will work..

this check is done when the file is opened, and I am pretty sure the ftp server will open the file in write mode, instead of write append mode, even though it is only appending data to the file..

otherwise, to my knowledge, there is no other way that grsec can do that acl.. it cannot check for every write if it is appending or editing... too much of a major perf hit.. so it can only check on the file open mode...

--hmhansolo

the question is then, for what is 'a' flag? i've never seen practical use for it. any application that requested file write access for appending only (i've also tried "cat >>") ended with access denied and requested full write. or am i using too old version of grsec?