grsecurity forums


https://forums.grsecurity.net./

root and user_transition_deny

https://forums.grsecurity.net./viewtopic.php?f=3&t=1953

Page 1 of 1

root and user_transition_deny

PostPosted: Mon Apr 21, 2008 10:45 am
by windo
kernel 2.6.23-16+grsec

i tried to restrict root from using "su" to become any user, but was unable to do so. the following piece of policy does not allow root to use su at all:

subject /bin/su dp
user_transition_deny nobody
/dev/log rw


complains of missing CAP_SETUID, CAP_SETGID, however this allows root to so to anybody (including nobody):

subject /bin/su dp
user_transition_deny nobody
/dev/log rw
+CAP_SETUID
+CAP_SETGID


missing feature, bug, misconfiguration?

Re: root and user_transition_deny

PostPosted: Mon Apr 21, 2008 7:04 pm
by spender
This feature appears to have gone missing during the port to the 2.6.23 kernel. I've uploaded new patches to the website that restores the functionality. Cormander (a poster here on the forums) is working on RBAC regression tests that will ensure this kind of thing doesn't happen again. Thanks for reporting this issue!

-Brad
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/