Heh, normaly it's not needed to add +CAP_SYS_ADMIN to gradm, even it's not needed to set up ACLs for gradm at all. Because they are added by default and /sbin/gradm record in acls will return an error reporting about double definitions of /sbin/gradm. Seems I got stuck :)
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sandino Araico SÄnchez Sent: Tuesday, March 30, 2004 2:27 PM To: [EMAIL PROTECTED] Subject: Re: [Vserver] vserver + grsec + gradm problem Justinas S. wrote: >Hi Sandino, > >Thanks for your reply. Do you have any suggestions how I can solve my >problem? > >More details: > >After (on main system - not vserver, after building kernel, compiling >gradm and rebooting) # gradm -E # gradm -a >Password: >Could not open /proc/sys/kernel/grsecurity/acl >open: Permission denied > >Kernel log shows this: >Mar 30 09:31:47 alus2 kernel: grsec: From 192.168.1.2: use of >CAP_SYS_ADMIN denied for (gradm:1374) UID(0) EUID(0), parent (bash:706) >UID(0) EUID(0) (why it's denied? It never happens in grsec+gradm only) > > I have not much experience with ACLs but seems like you are dropping the CAP_SYS_ADMIN cappability at some point. >I used 2 different patches of vs+grsec: >http://www.sandino.net/parches/vserver/linux-2.4.25-grsec-1.9.14-vserver-1.26.patch.gz >http://www.firehead.org/~jeffrey/linux-vserver/grsecurity-1.9.14-2.4.25-vs1.26.patch >and message was the same. > > > >> >> > > > > -- Sandino Araico SÃnchez -- MelÃn se comià las plumas.... _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
