grsecurity forums

Skip to content

ACL for creating only?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

ACL for creating only?

Postby salam » Thu Mar 01, 2007 2:40 pm

hello,

is it possible to set up a rule in ACL (for example ftp server) to allow this subject only uploading and not modifying the files after the upload is finished(or aborted, does not matter)?
i've tried to add only "rc" flags to the object, but ended with "write permission denied' message. adding "w" flag will allow overwriting the file(though not deleting, but size 0 is worthless), so it is not good for this
salam
 
Posts: 27
Joined: Wed Jul 19, 2006 7:22 am
Top

there are 2 types of writes

Postby hmhansolo » Sat Mar 03, 2007 11:09 am

Well.. there are two types of writes.. there is a write "w".. and there is an append write "a".. you can try this, but i don't think it will work..

this check is done when the file is opened, and I am pretty sure the ftp server will open the file in write mode, instead of write append mode, even though it is only appending data to the file..

otherwise, to my knowledge, there is no other way that grsec can do that acl.. it cannot check for every write if it is appending or editing... too much of a major perf hit.. so it can only check on the file open mode...

--hmhansolo
hmhansolo
 
Posts: 32
Joined: Mon Jan 10, 2005 9:15 pm
Top

Postby salam » Mon Mar 05, 2007 12:09 pm

the question is then, for what is 'a' flag? i've never seen practical use for it. any application that requested file write access for appending only (i've also tried "cat >>") ended with access denied and requested full write. or am i using too old version of grsec?
salam
 
Posts: 27
Joined: Wed Jul 19, 2006 7:22 am
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group