generated ACL has logrotate subject in /tmp
Posted: Sun Jun 20, 2004 4:49 am
When i finished autogenerating a systemwide ACL with gradm 2.0 (kernel 2.6.5, debian sid) i noticed a few strange subjects about logrotate executing in /tmp with a random name.
Obviously the next time logrotate runs, it will use a different name, and so not fit in the subject.
Any suggestions on how to solve this?
I dont want to give root default execute privileges on /tmp.
---
subject /tmp/logrotate.0FayYs o {
/ h
/bin h
/bin/bash x
/bin/chmod x
/bin/chown x
/bin/ls x
/etc h
/etc/ld.so.cache r
/etc/ld.so.preload r
/etc/mtab r
/lib h
/lib/tls h
/lib/tls/libc-2.3.2.so rx
/lib/tls/libdl-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libncurses.so.5.4 rx
/lib/libsafe.so.2.0.16 rx
/proc
/proc/meminfo r
/tmp h
/tmp/logrotat r
/usr h
/usr/bin/mysqladmin x
/var h
/var/log
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}
subject /tmp/logrotate.OwMCui o {
/ h
/bin h
/bin/bash x
/bin/chmod x
/bin/chown x
/bin/ls x
/etc h
/etc/ld.so.cache r
/etc/ld.so.preload r
/etc/mtab r
/lib h
/lib/tls h
/lib/tls/libc-2.3.2.so rx
/lib/tls/libdl-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libncurses.so.5.4 rx
/lib/libsafe.so.2.0.16 rx
/proc h
/proc/22280
/proc/meminfo r
/tmp h
/tmp/logrotate.OwMCui r
/usr h
/usr/bin/mysqladmin x
/var h
/var/log
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}
subject /tmp/logrotate.VJeUxh o {
/ h
/bin h
/bin/bash x
/bin/chmod x
/bin/chown x
/bin/ls x
/etc h
/etc/ld.so.cache r
/etc/ld.so.preload r
/etc/mtab r
/lib h
/lib/tls h
/lib/tls/libc-2.3.2.so rx
/lib/tls/libdl-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libncurses.so.5.4 rx
/lib/libsafe.so.2.0.16 rx
/proc h
/proc/8650
/proc/meminfo r
/tmp h
/tmp/logrotate.VJeUxh r
/usr h
/usr/bin/mysqladmin x
/var h
/var/log
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}
and so on...
Obviously the next time logrotate runs, it will use a different name, and so not fit in the subject.
Any suggestions on how to solve this?
I dont want to give root default execute privileges on /tmp.
---
subject /tmp/logrotate.0FayYs o {
/ h
/bin h
/bin/bash x
/bin/chmod x
/bin/chown x
/bin/ls x
/etc h
/etc/ld.so.cache r
/etc/ld.so.preload r
/etc/mtab r
/lib h
/lib/tls h
/lib/tls/libc-2.3.2.so rx
/lib/tls/libdl-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libncurses.so.5.4 rx
/lib/libsafe.so.2.0.16 rx
/proc
/proc/meminfo r
/tmp h
/tmp/logrotat r
/usr h
/usr/bin/mysqladmin x
/var h
/var/log
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}
subject /tmp/logrotate.OwMCui o {
/ h
/bin h
/bin/bash x
/bin/chmod x
/bin/chown x
/bin/ls x
/etc h
/etc/ld.so.cache r
/etc/ld.so.preload r
/etc/mtab r
/lib h
/lib/tls h
/lib/tls/libc-2.3.2.so rx
/lib/tls/libdl-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libncurses.so.5.4 rx
/lib/libsafe.so.2.0.16 rx
/proc h
/proc/22280
/proc/meminfo r
/tmp h
/tmp/logrotate.OwMCui r
/usr h
/usr/bin/mysqladmin x
/var h
/var/log
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}
subject /tmp/logrotate.VJeUxh o {
/ h
/bin h
/bin/bash x
/bin/chmod x
/bin/chown x
/bin/ls x
/etc h
/etc/ld.so.cache r
/etc/ld.so.preload r
/etc/mtab r
/lib h
/lib/tls h
/lib/tls/libc-2.3.2.so rx
/lib/tls/libdl-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libncurses.so.5.4 rx
/lib/libsafe.so.2.0.16 rx
/proc h
/proc/8650
/proc/meminfo r
/tmp h
/tmp/logrotate.VJeUxh r
/usr h
/usr/bin/mysqladmin x
/var h
/var/log
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}
and so on...