grsecurity forums

Skip to content

Confused about the Trusted Path Execution (TPE) options

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

Confused about the Trusted Path Execution (TPE) options

Postby fmarier » Fri Nov 14, 2008 8:29 pm

Hi,

I currently have the following options set:

CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
# CONFIG_GRKERNSEC_TPE_INVERT is not set
CONFIG_GRKERNSEC_TPE_GID=1005

Which works fine for me, except in one case where I need my Apache process to use a CGI in a directory owned by another non-root user (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505646).

So what I thought of doing to temporarily work around this was to create a "tpeexempt" group (1001) and put Apache in it. So I changed my kernel options to:

CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_INVERT=y
CONFIG_GRKERNSEC_TPE_GID=1001

However, I don't think that I understood how the TPE_ALL and TPE_INVERT options interact with each other. Now, my normal user account can no longer run scripts in its home directory.

Is there a combination of options which allows to do both of these?

1- partially restrict all non-root users (so that they can run their own scripts)
2- specify a group of trusted users who will be allowed to run any scripts at all

Cheers,
Francois
fmarier
 
Posts: 7
Joined: Tue Feb 26, 2008 7:55 pm
Top

Re: Confused about the Trusted Path Execution (TPE) options

Postby specs » Sat Nov 29, 2008 5:21 am

I currently have the following options set:
..
CONFIG_GRKERNSEC_TPE_GID=1005
..
So what I thought of doing to temporarily work around this was to create a "tpeexempt" group (1001) and put Apache in it. So I changed my kernel options to:
..
CONFIG_GRKERNSEC_TPE_GID=1001


Why do you change the group in the kernel configuration?

Since you use Debian, user ID's probably start with 1001.
Make some new group-ID 's, which don't exist already:
grsec_tpe:x:2005:<user>
(usually I add 1000 to the group-id's provided in the default grsec-configuration)

Configure the kernel using those group-ID's:
CONFIG_GRKERNSEC_TPE_GID=2005

Now add the users you trust to the group. If there is an user which is used by the webserver try to chown the scripts root in a root-writable directory. Then without giving a user extra rights he should be able to execute the scripts.

If he needs to change those scripts you should decide if you trust him to be in the grsec_tpe group. Your normal user should be in the grsec_tpe group anyway if you want to use your own scripts. But strictly you should decide if you want to be able to run scripts not owned by root.
specs
 
Posts: 190
Joined: Sun Mar 26, 2006 7:00 am
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group