grsecurity forums

Skip to content

sharing a subject between roles

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

sharing a subject between roles

Postby pwadas » Mon Sep 10, 2007 3:46 pm

Hello,

Can I share a subject between roles ? Probably not.
I have hundreds or thousands of users, which
should have actually the same policy for all
subject, except, for example, their home dir
(actually, except set of directories, which will
contains e.g.
/home/%USERNAME%,
/other/%USERNAME%,
/else/%USERNAME%
but forget it for the sake of concept simplicity.)

So John and Mary should have exactly the same
permissions in the system, except john should have
relaxed rights for /home/john, and mary - respectively,
it is the only difference between their roles I want.

I could define a group for them, just to assign the
privileges for both of them, but, if automatic role
search goes from user->group->default, this will
probably mean, that if I want such group role to be
effective, I'll have to ensure, that there's no role
for "john" and "mary", because in such situation
a group role wouldn't ever "match".

So - that's the question: How to implement such policy
in some wise way? Maybe the most reasonable, would
be using "include" and keep subjects in separate
files simply included in many roles?

BTW, what about user belonging to two or more groups,
while the roles of these groups have coincidental policies?
Does it mean a "group" means user primary group only?
Or group role's policies are inherited in some order ?

Other solution to define a "shared" subject could be
some usage of a special token like literal %USERNAME%, %UID%, etc.
while the subject should belong to a special non-user-group role,
which should be inherited inclusively (with highest priority)
into other roles.

Have you ever consider "role server" for sharing roles between
servers? Actually a policy is read just once, when enabling (reloading)
RBAC, isn't it?

Regards,
Piotr
pwadas
 
Posts: 5
Joined: Sat Sep 08, 2007 4:28 pm
Top

Postby spender » Thu Sep 20, 2007 6:24 pm

As long as you keep proper DAC permissions on each user's home directory, it's sufficient to give each user a subject which grants access to /home.

I can't think of any good way off the top of my head to unify these subjects if you want to allow reading of other users' home directories, but only writing to your own home directory.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Postby pwadas » Fri Sep 21, 2007 12:02 am

Hello,
I want to give each user full rights to his home directory, but avoid
even seeing other users homes.
pwadas
 
Posts: 5
Joined: Sat Sep 08, 2007 4:28 pm
Top

Postby yoB » Tue Dec 18, 2007 8:05 pm

There is one way to share subject between users. But its only limited to home directory. Also there is option to hide all others dirs in home path. You can use special variable $HOME and include.
example :
home directory of user yob is /home/shells/yob

in /etc/grsec/policy
Code: Select all
role yob u
        include </etc/grsec/rules/shell_account>


in /etc/grsec/rules/shell_account
Code: Select all
subject /
        ...
        /home
        /home/shells
        /home/*         h
        /home/shells/*  h
        $HOME/          rwcdax
        ...
yoB
 
Posts: 2
Joined: Sat Nov 27, 2004 9:50 am
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group
cron