grsecure2 acl and system acl
9 posts
• Page 1 of 1
grsecure2 acl and system acl
by Terra » Thu Sep 30, 2004 8:46 am
sorry for stupid question, but grsecure object modes override system (ext2) modes or not? I want allow to one process read some directories, but can't modify ext2 permissions for these directories.
- Terra
- Posts: 9
- Joined: Fri Apr 11, 2003 5:18 pm
by Terra » Thu Sep 30, 2004 11:43 am
ok, how i understand grsecurity can deny access which allowed by file mode, but can't allow access denied by file mode. Yes?
.
Nice solution for me - use extended attributes patch. But i can't merge this patch with grsecurity patch for 2.4 kernel and no new grsecurity patch for 2.6 kernel (i can't use 2.6.7 because there serious acapi bugs)
May be someone merge this patches for 2.4?
.
Nice solution for me - use extended attributes patch. But i can't merge this patch with grsecurity patch for 2.4 kernel and no new grsecurity patch for 2.6 kernel (i can't use 2.6.7 because there serious acapi bugs)
May be someone merge this patches for 2.4?
- Terra
- Posts: 9
- Joined: Fri Apr 11, 2003 5:18 pm
by Terra » Mon Oct 04, 2004 9:49 am
I use grsecurity as second protection system, not main. If grsecurity fail to start or was disabled due some service - users mast not get access to closed directory. System acl must deny this. If i deny access vie default rbac acl, system acl must allow this access (for one process, which alloed in rbac also). It's no god.
- Terra
- Posts: 9
- Joined: Fri Apr 11, 2003 5:18 pm
by Terra » Tue Oct 05, 2004 2:55 am
simply mistake in start-up files, and grsec fail to start and users take dangerous permissions... it's not good.
grsec rbac, imho, needs for additional securing, in first hand, for prevention some attacks for get root if some bugs will be found, but not fixed on system.
usage grsec for users-access managment without system acl more dangerous because grsec rbac not start with kernel
grsec rbac, imho, needs for additional securing, in first hand, for prevention some attacks for get root if some bugs will be found, but not fixed on system.
usage grsec for users-access managment without system acl more dangerous because grsec rbac not start with kernel
- Terra
- Posts: 9
- Joined: Fri Apr 11, 2003 5:18 pm
by Terra » Wed Oct 06, 2004 4:49 am
and... sorry
if i deny access for all users and allow only one process, how user can get access to own directory? Write "u" subject for each user with allow acces to home directory and deny to others? IMHO, it's too overhead for fhree-four hundred users.
if i deny access for all users and allow only one process, how user can get access to own directory? Write "u" subject for each user with allow acces to home directory and deny to others? IMHO, it's too overhead for fhree-four hundred users.
- Terra
- Posts: 9
- Joined: Fri Apr 11, 2003 5:18 pm
9 posts
• Page 1 of 1