Page 1 of 1
/proc/sys/kernel/grsecurity
Posted:
Tue Aug 06, 2002 11:35 amby smith
hello,
i just noticed that in grsec 1.9.6 the default values of the options in /proc/sys/kernel/grsecurity is "0", in 1.9.5 it was "1" ... i was confused a short time but just wrote a init script for it ...
i didnt have any of the other problems other ppl just posted.
philipp
Posted:
Fri Sep 13, 2002 11:50 amby decoder
do i have to echo 1 > /proc/sys/kernel/grsecurity/function to enable the function for every function i want? i thought the grsecurity functions are enabled by default. (?) *confused* :P
Posted:
Fri Sep 13, 2002 12:56 pmby torne
If you enable sysctl support in the kernel, then all options default to off.
You then are supposed to use an init script to set the ones you want to on, and then set grsec_lock to 1, which will prevent any sysctl options from being changed (even by root).
If you don't enable sysctl support in the kernel, then all options you chose to compile in are turned on all the time and cannot be disabled.
There are one or two options which do not have a sysctl option (check their configure help text) and these will always be enabled whether sysctl support is on or not (like PaX).
Only recent version of grsecurity work this way - 1.9.5 defaulted to 1 even with sysctl enabled, as smith saw.
Hope this clears up any confusion!
Torne
Posted:
Fri Sep 13, 2002 2:36 pmby decoder
jepp, it does indeed :D thank you very much. but I think, a readme should be shipped with grsecurity, so things like that are clearly stated in there.
thnx and cu
decoder
Posted:
Sat Sep 14, 2002 10:50 amby msi
do you really need to set grsec_lock to 1.
if you have grsec with gradm -E enabled you
can't change the data there even as root.
Posted:
Sat Sep 14, 2002 11:59 amby torne
Technically, no, if the ACL system is protecting it. In practise, do set grsec_lock unless you anticipate really needing to change those settings at runtime. It's an extra layer of protection in case of some problem.
Not locking the settings gives you the ability to change them at runtime using admin mode.
Torne
Posted:
Sat Sep 14, 2002 12:12 pmby msi
but if somebody's using admin mode it doesnt matter whether he changes
settings or not, he can do everything.
Posted:
Sun Sep 15, 2002 11:10 amby torne
No - you still cannot change the settings in admin mode if grsec_lock is on. I'm not suggesting this as a security measure in case someone gets admin mode (because you're stuffed if that happens) - I'm suggesting it in case there is a problem with your ACLs or something similar which allows some non-admin mode access to /proc/sys/kernel/grsecurity.
Torne
Posted:
Sun Sep 15, 2002 12:24 pmby spender
the reason why it defaults to off is because of the gid-based features. If you set it to a specific value in the kernel, it will use that every time at boot until you change it. You might need something to run with that gid before you set the sysctl entries, so it would cause problems. The lock was really designed for people not using the acl system (as it was designed when we had no acl system) By default the acl system protects everything in /proc/sys, and there shouldn't be any program that needs to access that.
-Brad