Option for FileName matching instead of inode matchin.

Discuss and suggest new grsecurity features

Option for FileName matching instead of inode matchin.

Postby hmhansolo » Mon Mar 07, 2005 5:47 pm

There are files on the filesystem on most *nix systems, that get deleted and recreated... and as such, the inode changes.. for example.. /etc/resolv.conf.. dhcpd sometimes removes this file and creates a new one.. then, applications like qmail and others, can no longer access /etc/resolv.conf, becuase in the acl they were given permission to access that file by "/etc/resolv.conf r".. i know this problem can be solved by doing "/etc/resolv.conf* r", but then that gives access to other files u may not want the program to have access to.. maybe an object option can be given .. such as "/etc/resolv.conf pr", where p means match based on the filename "/etc/resolv.conf" instead of the inode of /etc/resolv.conf..

another question.. i am assuming matching on inode number instead of file name is for security reasons... if not, why is matching done on inode instead of file name?


--hmhansolo

thanks for the help
hmhansolo
 
Posts: 32
Joined: Mon Jan 10, 2005 9:15 pm

Postby spender » Fri Mar 11, 2005 4:58 pm

Grsecurity can handle the /etc/resolv.conf, /etc/passwd, etc cases where a file gets removed and recreated, while still using an inode/dev based system. Inode/dev lookups are preferred because multiple paths can refer to the same file, so using path matching on such files can result in an inconsistent policy (which may be wanted or unwanted).

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

how do i set that up?

Postby hmhansolo » Fri Mar 11, 2005 6:11 pm

how do i set that up?

everything in my logs seems fine.. and then when dhcpcd messes with my /etc/resolv.conf file, programs like qmail and such, that have not been given access to /etc and only been given explicit access to /etc/resolv.conf, start getting denied access to the /etc/resolv.conf file.

--hmhansolo
hmhansolo
 
Posts: 32
Joined: Mon Jan 10, 2005 9:15 pm

Postby spender » Fri Mar 11, 2005 6:15 pm

That shouldn't happen. Can you send me the logs and an strace of dhcpcd?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity development