acl and startx

Submit your RBAC policies or suggest policy improvements

acl and startx

Postby pasholy » Sat Nov 02, 2002 9:22 pm

Hi: my startx doesn't work with acls. This is my acl

/ {
/ r
/opt rx
/home rwx
/mnt rw
/dev rw
/dev/mem h
/dev/kmem h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/proc rwx
/proc/sys r
/root r
/tmp rw
/var rwx
/var/tmp rw
/var/log ra
/boot r
/etc/grsec h


/var/log/wtmp rw
/var/log/faillog rw
/var/log/lastlog rw
/sbin/reboot h
/sbin/shutdown h

-CAP_LINUX_IMMUTABLE
-CAP_MKNOD
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
}

/usr/X11R6/bin/startx {
/ rwxoi
}

when i run startx i get :

grsec: attempt to open /var/log/XFree86.0.log for writing by (X:401) UID(1000) EUID(0), parent (xinit:400) UID(1000) EUID(1000)

Fatal server error:
Cannot open log file "/var/log/XFree86.0.log"


When reporting a problem related to a server crash, please send
the full server output, not just the last messages.
Please report problems to [email protected].

giving up.
xinit: No such file or directory (errno 2): unable to connect to X server
xinit: No such process (errno 3): Server error.

I tried changing startx to :

/usr/X11R6/bin/startx {
/usr/X11R6/bin/xinit rxi
/var/log/XFree86.0.log rwxoi
}

still the same thing.

How do I change the acl so that everything that startx runs has access to
everything on / ?. Because I think that xinit runs a bunch of other programs and those programs might run other programs. I want to make everything after startx have access to everything on the root directory.
pasholy
 
Posts: 4
Joined: Sat Nov 02, 2002 9:12 pm

Postby spender » Sun Nov 03, 2002 12:47 am

you're putting the inherit mode on a log, not something that can be executed. I would recommend not putting an ACL on startx as it's only a script. You should put the ACL on the /usr/X11R6/bin/XFree86 binary.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

startx and xinit

Postby pasholy » Sun Nov 03, 2002 9:22 pm

I tried putting in two rules instead of the startx

/usr/X11R6/bin/XFree86 {
/ rwxoi
}

and that gives me the same error as above.

/usr/X11R6/bin/XFree86 {
/var/log/XFree86.0.log rwxoi
}
and that gives me a new error.

(==) Log file: "/var/log/XFree86.0.log", Time: Mon Nov 4 18:13:19 2002
(==) Using config file: "/etc/X11/XF86Config"
grsec: attempt to access hidden file [16:01:610] by (X:22959) UID(1000) EUID(0), parent (xinit:22958) UID(1000) EUID(1000)

Fatal server error:
xf86EnableIOPorts: Failed to set IOPL for I/O


When reporting a problem related to a server crash, please send
the full server output, not just the last messages.
This can be found in the log file "/var/log/XFree86.0.log".
Please report problems to [email protected].

XIO: fatal IO error 104 (Connection reset by peer) on X server ":1.0"
after 0 requests (0 known processed) with 0 events remaining.


isn't there a way for everything ran by XFree86 to inherit everything in the root directory, so that I don't have to specify rules for all of the subproceses?

thanks.
pasholy
 
Posts: 4
Joined: Sat Nov 02, 2002 9:12 pm

Postby spender » Sun Nov 03, 2002 9:24 pm

you don't have o in the subject mode, so it's inheriting ACLs. A gradm -T would have confirmed this. Try this for your ACL:

/usr/X11R6/bin/XFree86 {
/var/log/XFree86.0.log rw
/var/log/XFree86.1.log rw
/dev/mem rwo

+CAP_CHOWN
+CAP_SETUID
+CAP_SETGID
+CAP_DAC_OVERRIDE
+CAP_SYS_RAWIO
+CAP_SYS_MODULE
+CAP_SYS_NICE
}
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby pasholy » Sun Nov 03, 2002 10:04 pm

/usr/X11R6/bin/XFree86 {
/var/log/XFree86.0.log rw
/var/log/XFree86.1.log rw
/dev/mem rwo

+CAP_SYS_RAWIO
}

Did the trick. I'm still
a little confused as to how +CAP_SYS_RAWIO did that.

Thanks a lot for the help Spender.
pasholy
 
Posts: 4
Joined: Sat Nov 02, 2002 9:12 pm

Postby spender » Sun Nov 03, 2002 11:22 pm

you need CAP_SYS_RAWIO to modify block devices or other special devices like /dev/kmem and /dev/mem.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to RBAC policy development