acl problem (shell scripts, grsec 1.9.7d)
Posted: Sun Oct 27, 2002 8:19 pmHi,
I've a little (or quite a big actually) problem with ACLs and shell scripts..
I'm not able to give them proper privileges so that they would work..
For example half of the scripts run by cron every night fail.
Let's take /etc/init.d/rmnologin, which is a simple script usually ran when system
boots up.. (After ACL has been enabled in this case)
what rmnologin does:
#!/bin/sh
rm -f /etc/nologin
Now, what kind of acl rules should i give to actually let that program remove
/etc/nologin?
I've tried a lot of things and also encountered some wierd behaviour..
Here's one of the acl rules, which i've tried
/etc/init.d/rmnologin {
/etc rwxo
}
Ok, this doesn't work because it's rm which actually tries to remove the file..
And so i get an error message from grsec.
now here's an other one:
/etc/init.d/rmnologin {
/etc rwxo
/bin/rm rxi
}
With this rule, for some reason, I get no error messages at all..
Nothing is reported by grsec and not even the shell script give
permission denied or anything.. yet when i look at /etc nologin
is still there and didn't get deleted.
So any ideas?
I really would like to get my shell scripts to work..
Biggest problem is cron which run many scripts every night and
most of them fail..
I guess i'm just doing something wrong because I haven't seen other
people reporting these problems.. Almost every system has those
cron and boot scripts anyways..
So is there a way to let acls inheritate deeper than just one level?
Or some other way make things work again?
Thanks
--
Tuomas Silen
tuomas@silen.eu.org
I've a little (or quite a big actually) problem with ACLs and shell scripts..
I'm not able to give them proper privileges so that they would work..
For example half of the scripts run by cron every night fail.
Let's take /etc/init.d/rmnologin, which is a simple script usually ran when system
boots up.. (After ACL has been enabled in this case)
what rmnologin does:
#!/bin/sh
rm -f /etc/nologin
Now, what kind of acl rules should i give to actually let that program remove
/etc/nologin?
I've tried a lot of things and also encountered some wierd behaviour..
Here's one of the acl rules, which i've tried
/etc/init.d/rmnologin {
/etc rwxo
}
Ok, this doesn't work because it's rm which actually tries to remove the file..
And so i get an error message from grsec.
now here's an other one:
/etc/init.d/rmnologin {
/etc rwxo
/bin/rm rxi
}
With this rule, for some reason, I get no error messages at all..
Nothing is reported by grsec and not even the shell script give
permission denied or anything.. yet when i look at /etc nologin
is still there and didn't get deleted.
So any ideas?
I really would like to get my shell scripts to work..
Biggest problem is cron which run many scripts every night and
most of them fail..
I guess i'm just doing something wrong because I haven't seen other
people reporting these problems.. Almost every system has those
cron and boot scripts anyways..
So is there a way to let acls inheritate deeper than just one level?
Or some other way make things work again?
Thanks
--
Tuomas Silen
tuomas@silen.eu.org
