Inheritance on subdirs (as subject)
Posted: Mon May 24, 2004 1:31 amI know, the following approach is not the most secure one, but I'm using grsecurity on a system with mostly trusted users that are using the server for (very) mixed developing. Therefore my wish is a rather open default, but with the possibility to restrict special services (that are providing external access, such as apache/bind/postfix/mysql and are therefore considered as potentially untrusted) through a more limiting ruleset.
Since grsecurity does not allow a too open default (/) subject, I am planning to use top-level-subdirs to allow as much as possible, without having to specify a rule for each program itself, i.e.:
subject /bin i {
/ rx
/bin rx
/sbin rx
...
/home rwxcmdi
/tmp rwxcmdi
}
Especially I want to use inheritance (as shown above), because I want the programs to inherit the rights of the calling process. My question now is: If I specify "i" for the subject /bin, is this flag also active for all programs in /bin (unless overridden), such as /bin/ls, ...?
Thanks,
Pkunk
Since grsecurity does not allow a too open default (/) subject, I am planning to use top-level-subdirs to allow as much as possible, without having to specify a rule for each program itself, i.e.:
subject /bin i {
/ rx
/bin rx
/sbin rx
...
/home rwxcmdi
/tmp rwxcmdi
}
Especially I want to use inheritance (as shown above), because I want the programs to inherit the rights of the calling process. My question now is: If I specify "i" for the subject /bin, is this flag also active for all programs in /bin (unless overridden), such as /bin/ls, ...?
Thanks,
Pkunk