Strange things with non-auth roles and role inheritance
Posted: Fri Jun 06, 2003 5:42 pmHi,
While testing grsec2 I noticed that special roles without passwords doesn't seem to work:
role test sN
Testing it as my user, which has role_transitions set to test:
$ /sbin/gradm -n test
Invalid password.
in the logs:
kernel: grsec: special role test failure for (gradm:32242) uid/euid:1000/1000 gid/egid:1000/1000, parent (bash:922) uid/euid:1000/1000 gid/egid:1000/1000
There is of course no password set for 'test'.
Then I tried to use that role as an auth-role by removing the N and setting a password for test before reloading the acl-system, but now the acl-system refuses to reload or work:
# gradm -R
Password:
You are using incompatible versions of gradm and grsecurity.
log:
kernel: grsec: From 192.168.101.52: Failed reload of grsecurity 2.0 for (gradm:10962) uid/euid:0/0 gid/egid:0/0, parent (bash:9160) uid/euid:0/0 gid/egid:0/0
From now on the acl-system is disabled completely and I'm unable to activate it again:
# gradm -E
You are using incompatible versions of gradm and grsecurity.
Please update both versions to the ones available on the website.
# gradm -D
Password:
Your request was ignored, please check the kernel logs for more info.
Invalid password.
logs:
kernel: grsec: From 192.168.101.52: Unable to load grsecurity 2.0 for (gradm:97) uid/euid:0/0 gid/egid:0/0, parent (bash:9160) uid/euid:0/0 gid/egid:0/0 ACL system may already be enabled.
grsec: From 192.168.101.52: ignoring shutdown for disabled acl for (gradm:31505) uid/euid:0/0 gid/egid:0/0, parent (bash:9160) uid/euid:0/0 gid/egid:0/0
After setting the 'test'-role N, one can reactivate it and it works the normal way, except for the ability to use the non-auth-role test, as described above.
The second is that a role with G set seems to inherit some things from the default role. I have a role for my user ("fd0") set up, where /tmp is r. When this role is used without G, /tmp really is r, but as soon as I set G /tmp is rw, according to the default-role (verified that by setting /tmp r in the default role and it was r when logging in as my user).
AFAIK if a user role exists for a particular user, that role and only that role is applied. Is that right (I'm a bit confused right now ;)?
- Alexander
While testing grsec2 I noticed that special roles without passwords doesn't seem to work:
role test sN
Testing it as my user, which has role_transitions set to test:
$ /sbin/gradm -n test
Invalid password.
in the logs:
kernel: grsec: special role test failure for (gradm:32242) uid/euid:1000/1000 gid/egid:1000/1000, parent (bash:922) uid/euid:1000/1000 gid/egid:1000/1000
There is of course no password set for 'test'.
Then I tried to use that role as an auth-role by removing the N and setting a password for test before reloading the acl-system, but now the acl-system refuses to reload or work:
# gradm -R
Password:
You are using incompatible versions of gradm and grsecurity.
log:
kernel: grsec: From 192.168.101.52: Failed reload of grsecurity 2.0 for (gradm:10962) uid/euid:0/0 gid/egid:0/0, parent (bash:9160) uid/euid:0/0 gid/egid:0/0
From now on the acl-system is disabled completely and I'm unable to activate it again:
# gradm -E
You are using incompatible versions of gradm and grsecurity.
Please update both versions to the ones available on the website.
# gradm -D
Password:
Your request was ignored, please check the kernel logs for more info.
Invalid password.
logs:
kernel: grsec: From 192.168.101.52: Unable to load grsecurity 2.0 for (gradm:97) uid/euid:0/0 gid/egid:0/0, parent (bash:9160) uid/euid:0/0 gid/egid:0/0 ACL system may already be enabled.
grsec: From 192.168.101.52: ignoring shutdown for disabled acl for (gradm:31505) uid/euid:0/0 gid/egid:0/0, parent (bash:9160) uid/euid:0/0 gid/egid:0/0
After setting the 'test'-role N, one can reactivate it and it works the normal way, except for the ability to use the non-auth-role test, as described above.
The second is that a role with G set seems to inherit some things from the default role. I have a role for my user ("fd0") set up, where /tmp is r. When this role is used without G, /tmp really is r, but as soon as I set G /tmp is rw, according to the default-role (verified that by setting /tmp r in the default role and it was r when logging in as my user).
AFAIK if a user role exists for a particular user, that role and only that role is applied. Is that right (I'm a bit confused right now ;)?
- Alexander