Inheritance problem (grsec-1.9.7d & gradm-1.5a)

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Inheritance problem (grsec-1.9.7d & gradm-1.5a)

Postby asok » Tue Nov 26, 2002 3:07 pm

Hello,

maybe I am misunderstanding the documentation, but I have a problem with a very simple inheritance setup. My /var/log is append only by default. However, /usr/sbin/logrotate is allowed to rw it. I also want logrotate to be able to compress the rotated logs with gzip, but I only want to give elevated permissions to gzip when it is run by logrotate. As far as I understand, this should be doable even with the current ACL system with the following code:
Code: Select all
/usr/sbin/logrotate {
        /var/log rwo
        /bin/gzip xi

        -CAP_ALL
        +CAP_DAC_OVERRIDE
        +CAP_CHOWN
}

The rotation (and chown, etc.) works, but when logrotate execs gzip, it cannot even read from /var/log. The corresponding log:
Code: Select all
grsec: attempt to open /var/log/warn-20021126 for reading by (gzip:23913) UID(0) EUID(0), parent (logrotate:6399) UID(0) EUID(0)

I have spent a few hours trying to hunt this down. Am I missing something?
asok
 
Posts: 9
Joined: Thu Sep 12, 2002 1:37 pm

Postby spender » Sun Dec 01, 2002 4:37 pm

most likely logrotate execs the shell, which executes gzip, so that's why that ACL isn't being inherited. Try making /bin/sh inherit the ACL, and then it should work.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby asok » Tue Dec 03, 2002 12:11 pm

Thanks Brad, it worked.

Just so that others know if they meet with the same problem, here is the correct configuration:

Code: Select all
/usr/sbin/logrotate {
        /var/log rwo
        /bin/sh xi
        /bin/gzip xi

        -CAP_ALL
        +CAP_DAC_OVERRIDE
        +CAP_CHOWN
}


Thanks again,
Akos
asok
 
Posts: 9
Joined: Thu Sep 12, 2002 1:37 pm


Return to grsecurity support

cron