ACL for /etc/rc.d/init.d/httpd or /usr/sbin/httpd

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

ACL for /etc/rc.d/init.d/httpd or /usr/sbin/httpd

Postby hardigunawan » Fri Jan 17, 2003 3:57 am

I'm not sure which ACL should I create. /etc/rc.d/init.d/httpd or /usr/sbin/httpd. I'm using redhat.

So far I've seen only ACL for /usr/sbin/httpd is being created. Is there any reason to do so?

Thanks :)
hardigunawan
 
Posts: 10
Joined: Tue Jan 14, 2003 5:10 am

Postby spender » Fri Jan 17, 2003 8:46 am

well, since putting acls on scripts is ugly, and it allows root to start or stop services, what I do is put ACLs only on the stuff the init scripts start, and enable the ACL system after all the other init scripts are done.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby hardigunawan » Fri Jan 17, 2003 9:40 am

I'm not sure I quite understand what you meant.

Do you mean, you are setting the ACL for, let's say Apache, by setting the ACL on /usr/sbin/httpd rather than /etc/rc.d/init.d/httpd? Then you enabled the ACL system after all the init scripts has been run?

But what about if I want to restart the services at will?
hardigunawan
 
Posts: 10
Joined: Tue Jan 14, 2003 5:10 am

Postby spender » Fri Jan 17, 2003 9:57 am

Then you do it from within admin mode

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support