Problem

Submit your RBAC policies or suggest policy improvements

Problem

Postby superbock » Sun May 11, 2003 5:08 pm

Hi!

Scenario:

let's say httpd launches a process called /xpto/bin/usermng, which is a symlink to /xpto/sbin/wrapper. wrapper is a suid program, that then calls the real /xpto/sbin/usermng. usermng needs to write in /etc (for shadow/passwd and temp files).

I have these two entries in my default acl:

subject /xpto/sbin/* {
/etc rw
}

subject /xpto/bin/* {
/etc rw
}

I use the wildcard because some other programs need that access too.

Yet, i get this on the logs:

denied open of /etc/shadow.xpto_lock for reading writing by (usermng:17467) uid/euid:0/0 gid/egid:0/0, parent (httpd:6677)

What can i be missing? Btw, wouldn't be a good idea that the process shows up on the logs with it's full path?

I'm using 2.0pre4

Thanks in advance
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm

Postby spender » Wed May 14, 2003 8:09 am

globbing isn't supported by subjects. What you really wanted was:

subject /xpto/bin {
/etc rw
}

subject /xpto/sbin {
/etc rx
}

Be careful with your use of globbing. It adds an ACL for each file that matches. If you mean every file in a directory, it is better to use the directory name for the ACL.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby superbock » Wed May 14, 2003 11:12 am

Tks, it's working now
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm


Return to RBAC policy development

cron