grsecurity forums


https://forums.grsecurity.net./

common ACLs in a multi user environment

https://forums.grsecurity.net./viewtopic.php?f=3&t=1762

Page 1 of 1

common ACLs in a multi user environment

PostPosted: Thu Jun 21, 2007 10:56 am
by giver
Hi folks,

I'd like to setup ACLs without the need to modify these rules every time a new user is created. I'm running Debain etch on a 2.6.21 kernel, together with Confixx, Postfix and Courier POP/IMAP. All mail users share a common group named "poponly". I have created the following ACL:

Code: Select all
role poponly g
subject / oO {
user_transition_allow root
group_transition_allow poponly mail

        /                               h
        /etc                            r
        /etc/grsec                      h
        /etc/ssh                        h
        /etc/shadow                     h
        /etc/shadow-                    h
        /etc/gshadow                    h
        /etc/gshadow-                   h
        /etc/ppp/chap-secrets           h
        /etc/ppp/pap-secrets            h
        /etc/samba/smbpasswd            h
        /proc                           h
        /proc/sys/kernel/ngroups_max    r
        /usr                            h
        /usr/bin/imapd                  x
        /usr/bin/procmail               x
        /usr/bin/spamc                  x
        /usr/lib                        rx
        /var                            h
        /var/log
        /var/log/procmail.log           a
        /var/mail                       rwcdl
        /var/run
        /dev
        /dev/null                       a
        /dev/grsec                      h
        /dev/mem                        h
        /dev/kmem                       h
        /dev/port                       h
        /dev/log                        h
        /lib                            rx
        /tmp                            rw
        -CAP_ALL
        +CAP_SETGID
        +CAP_SETUID
        bind 0.0.0.0/32:0 stream tcp
        connect 127.0.0.1/32:111 stream dgram tcp udp
        connect 127.0.0.1/32:869 stream dgram tcp udp
        connect 127.0.0.1/32:783 stream dgram tcp udp
        connect 127.0.0.1/32:512 stream dgram tcp udp
}


If one using the rule above, grsec throws this error message:

Code: Select all
(poponly:G:/) change to uid 1150 denied for /usr/bin/imapd[imapd:32683] uid/euid:1150/1150 gid/egid:502/502, parent /usr/sbin/couriertcpd[couriertcpd:3051] uid/euid:0/0 gid/egid:0/0


uid 1150 is the user web1p1, a mail user. Originally grsec learning mode adds a role transition for user web1p1 to this role, but I need a common set of rules for all mail users without the need to add and reload grsec every time a new user was created. Can this be done using domains instead of roles or something? I hope someone can guide me through this roadblock. Any hint would be highly appreciated.

kind regards
giver

PostPosted: Sun Jun 24, 2007 9:06 pm
by spender
Remove the user/group transition rules, which would have been done automatically by the learning system with additional learning.

-Brad

PostPosted: Mon Jun 25, 2007 7:52 am
by giver
Hi Brad,

Oh okay, it wasn't clear to me what this transitions do, while it is allready descriped in the default policy file shipped with gradm, now I understood, thank you. I just started full learning again, trying to conditioning grsec in more detail.

Regards
giver
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/