grsecurity forums

[cookiemonster]

I've been trying to gobble all php applications within a directory as a subject and I'm not getting through. Just to make sure, is possible to do something like this :

Code: Select all

subject /var/www/*/*.php {
    / h
    -CAP_ALL
}


Cookiemonster

[spender]

Globbed subjects are not currently supported. If it's possible, try reorganizing your directory structure so the php scripts can have a directory-based policy on them, or create a more general directory-based subject for the php scripts, and specific subjects for other executables in the same directory that you wish to have a different policy on.

-Brad

[cookiemonster]

Brad,

Ouch! I have around 146 websites and more coming...lol. It will be tough to manage. Is it possible to implement PAM in reverse ? Can a user be assigned a password-less role directly/automatically through PAM or any other methode without prior using gradm?

I know we can create passwordless roles and inherit them through "gradm", I can do this with php scripts through a cgi-wrapper but I lose alot of performance that way, is there any other way I can do this ?

Thanks in advance,

BTW, I LOVE GRSECURITY !!!!!!!

CookieMonster

[spender]

A comment/question not exactly related to your recent post:
These scripts you've mentioned, are they being executed directly? That is, they're not executed by using <interpreter> <script> or loaded using some webserver module, but directly as <script> with the #!<interpreter> contents in the file.
The reason I ask is that unless they're being executed directly, any attempts to create policies on them will be meaningless, and need to be done on the interpreter/webserver instead.

-Brad