I'd like to setup ACLs without the need to modify these rules every time a new user is created. I'm running Debain etch on a 2.6.21 kernel, together with Confixx, Postfix and Courier POP/IMAP. All mail users share a common group named "poponly". I have created the following ACL:
- Code: Select all
role poponly g
subject / oO {
user_transition_allow root
group_transition_allow poponly mail
/ h
/etc r
/etc/grsec h
/etc/ssh h
/etc/shadow h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/proc h
/proc/sys/kernel/ngroups_max r
/usr h
/usr/bin/imapd x
/usr/bin/procmail x
/usr/bin/spamc x
/usr/lib rx
/var h
/var/log
/var/log/procmail.log a
/var/mail rwcdl
/var/run
/dev
/dev/null a
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/lib rx
/tmp rw
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 stream tcp
connect 127.0.0.1/32:111 stream dgram tcp udp
connect 127.0.0.1/32:869 stream dgram tcp udp
connect 127.0.0.1/32:783 stream dgram tcp udp
connect 127.0.0.1/32:512 stream dgram tcp udp
}
If one using the rule above, grsec throws this error message:
- Code: Select all
(poponly:G:/) change to uid 1150 denied for /usr/bin/imapd[imapd:32683] uid/euid:1150/1150 gid/egid:502/502, parent /usr/sbin/couriertcpd[couriertcpd:3051] uid/euid:0/0 gid/egid:0/0
uid 1150 is the user web1p1, a mail user. Originally grsec learning mode adds a role transition for user web1p1 to this role, but I need a common set of rules for all mail users without the need to add and reload grsec every time a new user was created. Can this be done using domains instead of roles or something? I hope someone can guide me through this roadblock. Any hint would be highly appreciated.
kind regards
giver