/* * /medusa/medusa.info for fornax.elf.stuba.sk, (c) 1999 Milan WWW Pikula * */ /* vs: 0b1000000000000000 basic 0b0100000000000000 user 0b0010000000000000 mailboxes 0b0001000000000000 main web 0bwww0000000000000 normal user after login, later we will disallow him changing uid to root 0br0w0000000000000 sendmail 0br0w0000000000000 mailsort 0br00w000000000000 httpd + proxyrouter */ for set "/" vs=0b1000000000000000; for set "/usr" vs=0b1000000000000000; for set "/usr/local" vs=0b1000000000000000; for set "/usr/fornax" vs=0b1000000000000000; for set "/var" vs=0b1000000000000000; for set "/dev" vs=0b1000000000000000; for set "/var/spool" vs=0b1000000000000000; recursive for set "/" vs=0b0100000000000000; recursive for set "/lib" vs=0b1000000000000000; recursive for set "/bin" vs=0b1000000000000000; recursive for set "/sbin" vs=0b1000000000000000; recursive for set "/usr/lib" vs=0b1000000000000000; recursive for set "/usr/sbin" vs=0b1000000000000000; recursive for set "/usr/bin" vs=0b1000000000000000; recursive for set "/usr/local/lib" vs=0b1000000000000000; recursive for set "/usr/local/sbin" vs=0b1000000000000000; recursive for set "/usr/local/bin" vs=0b1000000000000000; recursive for set "/usr/fornax/lib" vs=0b1000000000000000; recursive for set "/usr/fornax/sbin" vs=0b1000000000000000; recursive for set "/usr/fornax/bin" vs=0b1000000000000000; recursive for set "/usr/ix86-linux/lib" vs=0b1000000000000000; recursive for set "/usr/ix86-linux/bin" vs=0b1000000000000000; recursive for set "/usr/ix86-linuxaout/lib" vs=0b1000000000000000; recursive for set "/usr/ix86-linuxaout/bin" vs=0b1000000000000000; recursive for set "/etc" vs=0b1000000000000000; recursive for set "/proc" vs=0b1000000000000000; recursive for set "/dev/(null|zero|urandom|tty.*|pty.*|log|console|vcs.*)" vs=0b0010000000000000; recursive for set "/var/spool/(mail|mqueue)" vs=0b0010000000000000; for set "/var/run" vs=0b0110000000000000; recursive for set "/var/run" vs=0b1000000000000000; recursive for set "/var/run/sendmail.pid" vs=0b0010000000000000; /* recursive for access "/" { if( flags==1 ) log_fs "access"; answer=ERR; } recursive for permision "/" { if( flags==1 ) log_fs "permision"; answer=ERR; // answer=SKIP; } */ /**** common things ****/ for exec "/sbin/init" { vs=0xffff; vss=0xffff; vsr=0xffff; vsw=0xffff; ecap = 0xffffffff; log "Configuration file started, pid(init)=" pid "."; } for exec "/usr/sbin/(sendmail|in\\.pop3d|imapd)" { // log "sendmail started, pid(sendmail)=" pid ", vs=" vs "vss=" vss "vsr=" vsr " vsw=" vsw; vs /= 0b0101111111111111; mvs/= 0b1101111111111111; wvs/= 0b1101111111111111; ecap /= CAP_FOWNER|CAP_FSETID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE| CAP_NET_ADMIN|CAP_NET_RAW| CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO| CAP_SYS_PTRACE|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE| CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG; // log "sendmail started, pid(sendmail)=" pid ", vs=" vs "mvs=" mvs " wvs=" wvs; // flags=1; } on syscall { trace_off action; trace_off 1; } on exec { procact=0; fsact=0; } /**** temporary garbage ****/ /* for set "/etc/(HOSTNAME|aliases|aliases.db|exports|fdprm|fstab|gateways|gettydefs|group|host.*|hosts|hosts.*|ld.so.*|login.*|magic|mail.rc|mailcap|makedev.cfg|mdtab|mtab|netgroup|networks|passwd|printcap|protocols|resolv.*|rmtab|securetty|shells|syslog.conf|termcap|termcap-BSD|ttys)" */