Page 1 of 1

globbling *.php *.pl etc..

PostPosted: Wed Jun 25, 2008 5:54 pm
by cookiemonster
I've been trying to gobble all php applications within a directory as a subject and I'm not getting through. Just to make sure, is possible to do something like this :

Code: Select all
subject /var/www/*/*.php {
    / h
    -CAP_ALL
}


Cookiemonster

Re: globbling *.php *.pl etc..

PostPosted: Thu Jun 26, 2008 12:43 pm
by spender
Globbed subjects are not currently supported. If it's possible, try reorganizing your directory structure so the php scripts can have a directory-based policy on them, or create a more general directory-based subject for the php scripts, and specific subjects for other executables in the same directory that you wish to have a different policy on.

-Brad

Re: globbling *.php *.pl etc..

PostPosted: Fri Jun 27, 2008 9:51 am
by cookiemonster
Brad,

Ouch! I have around 146 websites and more coming...lol. It will be tough to manage. Is it possible to implement PAM in reverse ? Can a user be assigned a password-less role directly/automatically through PAM or any other methode without prior using gradm?

I know we can create passwordless roles and inherit them through "gradm", I can do this with php scripts through a cgi-wrapper but I lose alot of performance that way, is there any other way I can do this ?

Thanks in advance,

BTW, I LOVE GRSECURITY !!!!!!!

CookieMonster

Re: globbling *.php *.pl etc..

PostPosted: Fri Jun 27, 2008 10:10 am
by spender
A comment/question not exactly related to your recent post:
These scripts you've mentioned, are they being executed directly? That is, they're not executed by using <interpreter> <script> or loaded using some webserver module, but directly as <script> with the #!<interpreter> contents in the file.
The reason I ask is that unless they're being executed directly, any attempts to create policies on them will be meaningless, and need to be done on the interpreter/webserver instead.

-Brad