grsecurity forums

[Vincent]

Hello,

Want you to know i'm still a very happy grsec user! But I ran into a new problem.

We now have an EMC nas storage solution for storing user homedirs and files. The EMC has an function to make snapshots of the filesystem at certain times. We want users to have access to this snapshots through our grsec enabled shellserver. The users homedirs are located at /home/users/username and the snapshots at /home/users/.ckpt/timestamp/username. Because of the strict policy I have to explicitly grant read rights to a snapshot dir in my policy. And there is were thing go wrong.

When I have a policy like this

Code: Select all

/home/users/username rwxcdl
/home/users/.ckpt/timestamp/username rx

I get the following error

Code: Select all

Duplicate object found for "/home/users/.ckpt/2008_06_08_03.00.03_CEST/username" in role username.nl, subject /, on line 5 of /etc/grsec/policy.d/global_users.
"/home/users/.ckpt/2008_06_08_03.00.03_CEST/username" references the same object as the following object(s):
/home/users/username (due to symlinking/hardlinking)
specified on an earlier line.The RBAC system will not load until this error is fixed.

It seems to gradm that the snapshot and the actual homedir are the same objects. This i sort of true (because it is a snapshot) but they aren't in any way linked to eachother. At this moment there isn't a way for me to grant users read access to there snapshots.

Is this caused by the way gradm checks objects? Do you know about an possible solution?

Thanks in advance.

[spender]

I don't have any knowledge of the system you're using, so if you can provide some information for me I'll be able to fix the problem for you.

Can you do the following:
stat /home/users/.ckpt/2008_06_08_03.00.03_CEST/username
stat /home/users/username

Thanks,
-Brad

[Vincent]

Thanks for the fast reply.

We are using a EMC NS20 storage solution:
http://www.emc.com/products/detail/hard ... a-ns20.htm

There is more information about snapshots from EMC (and NetApp) here:
http://oraclestorageguy.typepad.com/ora ... kup-1.html

The output from the commands:

Code: Select all

root@ssh1 ~ # stat /home/users/byte0ftp
  File: `/home/users/byte0ftp'
  Size: 2048         Blocks: 16         IO Block: 32768  directory
Device: 12h/18d   Inode: 401553      Links: 18
Access: (0710/drwx--x---)  Uid: ( 1001/ byte.nl)   Gid: (   33/www-data)
Access: 2008-05-27 16:10:06.000000000 +0200
Modify: 2008-06-12 12:44:24.000553000 +0200
Change: 2008-06-12 12:44:24.000553000 +0200
root@ssh1 ~ # stat /home/users/.ckpt/2008_06_26_03.00.02_CEST/byte0ftp
  File: `/home/users/.ckpt/2008_06_26_03.00.02_CEST/byte0ftp'
  Size: 2048         Blocks: 16         IO Block: 32768  directory
Device: 12h/18d   Inode: 588410921105  Links: 18
Access: (0710/drwx--x---)  Uid: ( 1001/ byte.nl)   Gid: (   33/www-data)
Access: 2008-05-27 16:10:06.000000000 +0200
Modify: 2008-06-12 12:44:24.000553000 +0200
Change: 2008-06-12 12:44:24.000553000 +0200


[spender]

Appears to be an issue with 64-bit inodes:
588410921105 = 0x8900062091
401553 = 0x62091

they're appearing equal due to truncation by the library function used to obtain the inode numbers. The RBAC system doesn't yet support 64-bit inodes, but I can add support if you'd be willing to test.

-Brad

[Vincent]

Offcourse I am more than willing to test.

Because this is a live machine i'd rather not test on this one. But I will install grsec to a spare machine to test.

Thanks for the support!

[Vincent]

I've installed a spare machine to test grsecurity.
Please let me know when I can help you with testing!

[Vincent]

Has there been some progress with this issue?
It's been a while now and my grsec server is some kind of a timebomb at the moment, without this issue fixed.

Thnx.