Inheritance problem (grsec-1.9.7d & gradm-1.5a)
Posted: Tue Nov 26, 2002 3:07 pmHello,
maybe I am misunderstanding the documentation, but I have a problem with a very simple inheritance setup. My /var/log is append only by default. However, /usr/sbin/logrotate is allowed to rw it. I also want logrotate to be able to compress the rotated logs with gzip, but I only want to give elevated permissions to gzip when it is run by logrotate. As far as I understand, this should be doable even with the current ACL system with the following code:
The rotation (and chown, etc.) works, but when logrotate execs gzip, it cannot even read from /var/log. The corresponding log:
I have spent a few hours trying to hunt this down. Am I missing something?
maybe I am misunderstanding the documentation, but I have a problem with a very simple inheritance setup. My /var/log is append only by default. However, /usr/sbin/logrotate is allowed to rw it. I also want logrotate to be able to compress the rotated logs with gzip, but I only want to give elevated permissions to gzip when it is run by logrotate. As far as I understand, this should be doable even with the current ACL system with the following code:
- Code: Select all
/usr/sbin/logrotate {
/var/log rwo
/bin/gzip xi
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_CHOWN
}
The rotation (and chown, etc.) works, but when logrotate execs gzip, it cannot even read from /var/log. The corresponding log:
- Code: Select all
grsec: attempt to open /var/log/warn-20021126 for reading by (gzip:23913) UID(0) EUID(0), parent (logrotate:6399) UID(0) EUID(0)
I have spent a few hours trying to hunt this down. Am I missing something?