grsecurity forums

[kaota]

Hi, pretty new to the RBAC system, but have been using the other nice kernel modifications from the grsec patch for awhile. What I'd like to try doing is only locking down certain users/groups, while allowing the rest of the system to function as it does currently. Everything I've seen so far with regards to RBAC deals with locking down the entire system-- which is great and I understand why, but that's not really what I want to do just yet. Learning mode (2 days) was also somewhat of a failure, right out of the box it denied me from even creating a new directory in my home, so who knows what else.

Anyway, back to the topic at hand. I have a group of users, let's call it "untrusted". I want to give them only what they need to do basic file operations in their homedir only, no execution of code past some standard file utilities (cp, mv, ln, vim, etc). That's really it. I don't want the rest of my system (e.g., me and "trusted" users) to have any additional restrictions.

Is there a way I can configure the RBAC to do this (even if not recommended), or is a "whole system lockdown" the only possible way? I realize setting up a chroot is also possible, but if that's avoidable I'd like to not go that route.

Thanks in advance!

[cormander]

Turning on the RBAC system locks the whole system down, it won't allow you to enter a policy that just does certain users. I'm pretty sure this restriction can be removed if you edit the gradm c code properly and recompile the tool, but that's not recommended and probably won't be supported.

I have the same requirement as you for one server and what I did was setup a chroot. I know this can be a pain but the jailkit tool makes it real easy to deal with: http://olivier.sessink.nl/jailkit/

One of the nice things about grsecurity is the chroot restrictions so even if they gained root access someone they'd still be contained in the chroot because the known methods of root breaking out of a chroot are removed.