grsecurity forums

Hello,

I have a hard time finding out why the following is happening.
I have an ACL for vsftpd, but when I remove the "o" subject, it will simply no work. I always get:
use of CAP_SETGID denied for (vsftpd:11282) UID(0) EUID(0), parent (vsftpd:5910) UID(0) EUID(0)
But I already enable this in my ACL, from my point of view this should do the trick, but for some reasons unknown to me it does not. For brevity I stripped my ACL as much as possible, here we go

/usr/sbin/vsftpd {
/ r
/lib rx
/dev/log rw

/var/log/vsftpd.log rw
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
}

The root ACL is
/ {
/ r
/opt rx
/home rwx
/mnt rw
/dev
/dev/urandom r
/dev/random r
/dev/zero rw
/dev/input rw
/dev/psaux rw
/dev/null rw
/dev/tty? rw
/dev/console rw
/dev/tty rw
/dev/ttyp? rw
/dev/pts rw
/dev/ptmx rw
/dev/dsp rw
/dev/mixer rw
/dev/fd0 r
/dev/cdrom r
/dev/mem h
/dev/kmem h
/dev/port h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/etc/ssh h
/proc rwx
/proc/kcore h
/proc/sys r
/root r
/tmp rw
/var rwx
/var/tmp rw
/var/log r
/boot h
/etc/grsec h

-CAP_SYS_TTY_CONFIG
-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_MKNOD
-CAP_SYS_ADMIN
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
-CAP_SYS_PTRACE
-CAP_NET_ADMIN
-CAP_NET_BIND_SERVICE
-CAP_SYS_CHROOT
}

Do you have a rule for /usr or /usr/sbin there ? I noticed the same behaviour you describe when i tried something like this:

Code: Select all

subject /
           /  r
           /dev/log
           -CAP_RAWIO

subject /usr/sbin
           /dev/log rw

subject /usr/sbin/something
           +CAP_RAWIO



When I remove subject /usr/sbin, it works. Seems like a bug to me.
grsec 2.0 rc5, gradm 2.0 rc5

I have no explicit line for /usr/sbin :(

But I upgraded to 1.9.14 and the latest 2.4.25 patch. I'll try with this again in a quite minute.

But for me this seems like a bug, too. At least I cannot see an obvious reason for thie behaviour.

for the person using 2.0, try current CVS. I've implemented a new capability inheritance system that should fix that problem.

-Brad