Hi,
I currently have the following options set:
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
# CONFIG_GRKERNSEC_TPE_INVERT is not set
CONFIG_GRKERNSEC_TPE_GID=1005
Which works fine for me, except in one case where I need my Apache process to use a CGI in a directory owned by another non-root user (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505646).
So what I thought of doing to temporarily work around this was to create a "tpeexempt" group (1001) and put Apache in it. So I changed my kernel options to:
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_INVERT=y
CONFIG_GRKERNSEC_TPE_GID=1001
However, I don't think that I understood how the TPE_ALL and TPE_INVERT options interact with each other. Now, my normal user account can no longer run scripts in its home directory.
Is there a combination of options which allows to do both of these?
1- partially restrict all non-root users (so that they can run their own scripts)
2- specify a group of trusted users who will be allowed to run any scripts at all
Cheers,
Francois