UID/GID ACL?

Submit your RBAC policies or suggest policy improvements

UID/GID ACL?

Postby Joel » Thu Nov 07, 2002 6:55 pm

Hi.

I read the post about " chroot'ing " with ACL's and been trying to think of a way by which this "chroot" can be made to restrict access to different directories based on system User / Group .

Is there a way to do this? The only thing I came up with would be a UID/GID based ACL. Is there such a thing in GRSec? Will there be?

Thanks for your hard work.
It's been of great help to me.

Joel A. Chornik[/b]
Joel
 
Posts: 10
Joined: Mon Jun 17, 2002 11:01 am

Postby Sharky » Sat Nov 09, 2002 9:39 pm

What you can do is basically ADD the GID you want them to be chrooted to the customized Chrooted Bash.
Im my example befor for instance I have CREATED a bash called bash-3
so what you can do is edit /etc/passwd and change the users shell you want to restrict to bash-3 instead of their original shell.
Sharky
 
Posts: 43
Joined: Fri Nov 01, 2002 10:12 pm

Postby Joel » Mon Nov 11, 2002 7:38 am

sharky, thanks for your reply.
although generating the need for about 500 :) hardlinks, this will suffice for granting restricted ssh access to my users.

now suppose I want similar restricitions applied to apache's suexec, but the ACL should be different based on which is the calling user. (depending on the user, access to one homedir or another should be granted, everything else denied)

is there a way to do this with current grsec ACLs?

once again thanks a lot for your help.
Joel
 
Posts: 10
Joined: Mon Jun 17, 2002 11:01 am

Postby Sharky » Mon Nov 11, 2002 3:20 pm

Hi again
First of all you will have to create an acl for apache in learning mode.
What you should do basically is create the following ACL
/path/to/your/httpd lo {

/ h

-CAP_ALL

RES_FSIZE 0 0

RES_DATA 0 100

RES_RSS 0 0

RES_NOFILE 0 0

RES_MEMLOCK 0 0

RES_STACK 0 0

RES_AS 0 0

RES_NPROC 0 0

RES_LOCKS 0 0

connect {
disabled

}

bind {

disabled

}

}

let it run for a couple of days, maybe weeks depending on how often your system HTML are being ACCESSED.
After that you will have to have a look at the generated ACL.
use gradm -L -O learn
go to your learn file and check what RESTRICTIONS were applied, Check which directories needs to be accessed and which wont.
BASED on that you can customize it as you want.
here's my GENERATED ACL for my httpd

disabled

}

bind {

disabled

}

}
connect {
disabled
}

bind {
disabled
}

}
based on your users you can tell which directories needs to be accessed etc.
Regards.
Sharky
 
Posts: 43
Joined: Fri Nov 01, 2002 10:12 pm

Postby Sharky » Mon Nov 11, 2002 3:22 pm

forget the one pasted, I PASTED something wrong heh.
Sharky
 
Posts: 43
Joined: Fri Nov 01, 2002 10:12 pm

Postby Joel » Tue Nov 12, 2002 5:32 am

yes, I understand what you meant.
But suppose the following:

Apache is configured with name based virtualhosts, and suExec, each virtualhost with its own user/group.

I want different virtualhosts (or differen user/groups for the matter) to have different ACL's. Very similar ACL's, but different.

can this be done?
thanks again for your time.

Joel.
Joel
 
Posts: 10
Joined: Mon Jun 17, 2002 11:01 am

Postby spender » Wed Nov 13, 2002 5:19 pm

I don't think that's possible in the current model. It will be very easy to do in the new ACL system that will support roles. You'll have to wait a couple of months for that though.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Sharky » Wed Nov 13, 2002 7:56 pm

Hi joel
Spender is the coder, he knows better than all of us here, he gave u a direct and straight forward to the point answer :)
Sharky
 
Posts: 43
Joined: Fri Nov 01, 2002 10:12 pm

Postby Joel » Wed Nov 13, 2002 8:45 pm

spender and sharky.

thanks both for your replies.
I am eager to see this roles thing going.

I've been using Linux Trustees but i don't like it very much and it does not co-exists peacefully wuth grsec.

thanks again.
Joel.
Joel
 
Posts: 10
Joined: Mon Jun 17, 2002 11:01 am

Postby Cyt0plas » Tue Jan 13, 2004 1:47 am

Sounds like you could use Linux Trustees (http://trustees.sourceforge.net). I use it with grseurity, in the WOLK (http://wolk.sourceforge.net) kernel. Grsec gets ACLS for the programs, Trustees lets you do ACLs for people/groups.

A nice combo.
Cyt0plas
 
Posts: 5
Joined: Sun Aug 04, 2002 11:53 pm


Return to RBAC policy development

cron