grsecurity forums

Skip to content

root and user_transition_deny

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

root and user_transition_deny

Postby windo » Mon Apr 21, 2008 10:45 am

kernel 2.6.23-16+grsec

i tried to restrict root from using "su" to become any user, but was unable to do so. the following piece of policy does not allow root to use su at all:

subject /bin/su dp
user_transition_deny nobody
/dev/log rw


complains of missing CAP_SETUID, CAP_SETGID, however this allows root to so to anybody (including nobody):

subject /bin/su dp
user_transition_deny nobody
/dev/log rw
+CAP_SETUID
+CAP_SETGID


missing feature, bug, misconfiguration?
windo
 
Posts: 6
Joined: Wed Mar 12, 2008 12:31 pm
Top

Re: root and user_transition_deny

Postby spender » Mon Apr 21, 2008 7:04 pm

This feature appears to have gone missing during the port to the 2.6.23 kernel. I've uploaded new patches to the website that restores the functionality. Cormander (a poster here on the forums) is working on RBAC regression tests that will ensure this kind of thing doesn't happen again. Thanks for reporting this issue!

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group
cron