grsecurity forums


https://forums.grsecurity.net./

grsecure2 acl and system acl

https://forums.grsecurity.net./viewtopic.php?f=3&t=946

Page 1 of 1

grsecure2 acl and system acl

PostPosted: Thu Sep 30, 2004 8:46 am
by Terra
sorry for stupid question, but grsecure object modes override system (ext2) modes or not? I want allow to one process read some directories, but can't modify ext2 permissions for these directories.

PostPosted: Thu Sep 30, 2004 11:43 am
by Terra
ok, how i understand grsecurity can deny access which allowed by file mode, but can't allow access denied by file mode. Yes?
.
Nice solution for me - use extended attributes patch. But i can't merge this patch with grsecurity patch for 2.4 kernel and no new grsecurity patch for 2.6 kernel (i can't use 2.6.7 because there serious acapi bugs)
May be someone merge this patches for 2.4?

PostPosted: Sat Oct 02, 2004 3:15 pm
by torne
If you want only one process to be able to access a directory, block access to it from your default ACL then override it just for that process. You don't need EA.

PostPosted: Mon Oct 04, 2004 9:49 am
by Terra
I use grsecurity as second protection system, not main. If grsecurity fail to start or was disabled due some service - users mast not get access to closed directory. System acl must deny this. If i deny access vie default rbac acl, system acl must allow this access (for one process, which alloed in rbac also). It's no god.

PostPosted: Mon Oct 04, 2004 10:43 am
by torne
Then don't use it like that. If it fails to start, abort booting the machine, and don't allow it to be disabled.

PostPosted: Mon Oct 04, 2004 10:51 am
by Terra
it's remote server =) if i abort to boot, i must go to another office for make fixes. Server can't stay offline much time. May be, I try to use this solution until grsecurity for 2.6.8 kernel...

PostPosted: Mon Oct 04, 2004 12:02 pm
by torne
If grsec won't start you have major problems anyway, remote or not. There's not a lot of point in having a security system if you let the machine start without it..

PostPosted: Tue Oct 05, 2004 2:55 am
by Terra
simply mistake in start-up files, and grsec fail to start and users take dangerous permissions... it's not good.
grsec rbac, imho, needs for additional securing, in first hand, for prevention some attacks for get root if some bugs will be found, but not fixed on system.
usage grsec for users-access managment without system acl more dangerous because grsec rbac not start with kernel

PostPosted: Wed Oct 06, 2004 4:49 am
by Terra
and... sorry
if i deny access for all users and allow only one process, how user can get access to own directory? Write "u" subject for each user with allow acces to home directory and deny to others? IMHO, it's too overhead for fhree-four hundred users.
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/