grsecurity forums

[myio]

this is my acl:
/ {
/ wrx
/opt rx
/mnt rw
/dev rw
/dev/mem h
/dev/kmem h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/proc rxw
/proc/sys r
/root r
/tmp rw
/var rxw
/var/tmp rw
/var/log ra
/boot r
/etc/grsec h
-CAP_LINUX_IMMUTABLE
+CAP_NET_RAW
-CAP_MKNOD
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
}

/home o {
/ r
/opt rx
/mnt rw
/dev rw
/dev/mem h
/dev/kmem h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/proc rxw
/proc/sys r
/root r
/tmp rw
/var rxw
/var/tmp rw
/var/log ra
/boot r
/home rxw
/etc/grsec h
+CAP_ALL

}


so i have prolems, when i lunch eggdrop, it tell me :


> Eggdrop v1.3.28 (c)1997 Robey Pointer (c)1999 Eggheads
> [12:19] --- Loading eggdrop v1.3.28 (Tue Nov 19 2002)
> [12:19] Listening at telnet port 49026 (all)
> [12:19] Can't load modules channels:
> /home/marte/eggdrop/modules/channels.so: failed to map segment from
> shared object: Permission denied
> [12:19] Can't load modules server:
> /home/marte/eggdrop/modules/server.so: failed to map segment from
> shared object: Permission denied
> [12:19] Can't load modules ctcp: /home/marte/eggdrop/modules/ctcp.so:
> failed to map segment from shared object: Permission denied
> [12:19] Can't load modules irc: /home/marte/eggdrop/modules/irc.so:
> failed to map segment from shared object: Permission denied


while if i put only /home rx not rxw but only rx, it work good, eggdrop start, but i am not able to create file kind touch test.

I hope which someone may help me

[goodbyte]

while if i put only /home rx not rxw but only rx, it work good, eggdrop start, but i am not able to create file kind touch test.

You are not allowed to load writable libraries. If you set just rx on /home/marte/eggdrop/modules it should work.

/Erik

[myio]

Thanks i have resolved it, another questions i have,.... if i lunch of init script all my process, kind apache mysql dns.. ecc ecc, and how final script gradm -E, all process started before, work properly?

[spender]

yes, you can enable the ACL system at any time while the system is up, and it will apply ACLs to every process on the system, not just those started after the ACL system is enabled. In some ways, doing it this way is even more secure than enabling the ACL system at startup, since daemons generally need certain access when they start, but drop it later, so your ACL does not need to grant these permissions to that daemon.

-Brad