grsecurity forums

Hello i want to limit ps list to user. I want every user to see own process. I have fedora core 4 with "2.6.14-1.1653_FC4smp #1 SMP Tue Dec 13 21:46:01 EST 2005 i686 i686 i386 GNU/Linux". Sorry for my eng.

Grsecurity does that by default, You need to:

0) some distros have kernel images WITH grsecurity allready included, try searching your distro install for kernel with grsec

if not then lets do it the real man/hacker way:

1) learn how to build own kernel
a) http://www.kernel.org - find source of 2.6.14.3 smp
b) download it, in example:
go to ftp://ftp.kernel.org/pub/linux/kernel/v2.6/
and grab the linux-2.6.14.3.tar.bz2 and SAMENAME.sign files to hdd (about 30-40 mb)
c) veryfie download by doing: gpg NAMEOFFILE.sign you can also do gpg --recv-key KEYID where KEYID is this 0xsomething printed out before
d) unpack (bunzip, tar -xf)
e) configure using: make menuconfig or make xconfig or simmilar Take time to do it correctly, DO NOT FORGET to build IN (not as modules!) needed stuff like support for your hard discs (icluding EHCI and stuff) and file systems, otherwise system will not boot at all. Configure it correctly (SMP mode, proper cpu type)
f) make && make install and perhaps update grub / lilo
g) reboot. if it do not work go back to e) and seek help wiuth configuring.
Perhaps You have to rebuild/reinstall some drivers in example I had to do so with nvidia

2) apply the grsecurity
a) grab from http://www.grsecurity.net/~spender/ the grsecurity- tar.gz
b) backup your kernel sources & compilation
c) unpack again 2.6.14.3 kernel source somewhere
d) unpack spenders grsecurity patch
e) apply patch using like cat ../grsecurity-SOMETHING | patch -p 0 or -p 1 -p 2 while beeing in kernel sources dir and having unpacked patch in ../
f) configure (copy the .config from backed up no-grsec kernel to save you work) - only change grsecurity options there are at end of config
g) there is as well option about the ps / processs viewing
h) set other options to be rather "free", non restrictive (turn them off) like RBACS and PAX (perhaps for now)
i) also build as previously and test the kernel

In addition to hidding ps, also randomizing PIDs and network ports is nice

Good luck, it will take few hours probably or sometimes days for newbies but dont worry

Minor point, but why're you catting the file just to pipe it to patch? Just run "patch -pX < ../grsecurity.patch" (for appropriate X and path) instead. Fewer processes and less typing. ;-)

[root@FrancoShells ps]# ./grsecurity-glibc-2.3.3-rc1.patch | patch -p 0 or -p 1 -p 2
diff: glibc-2.3.3-virgin/argp/argp-help.c: No such file or directory
diff: glibc-2.3.3/argp/argp-help.c: No such file or directory
./grsecurity-glibc-2.3.3-rc1.patch: line 2: ---: command not found
./grsecurity-glibc-2.3.3-rc1.patch: line 3: +++: command not found
./grsecurity-glibc-2.3.3-rc1.patch: line 4: @@: command not found
./grsecurity-glibc-2.3.3-rc1.patch: line 5: static: command not found
./grsecurity-glibc-2.3.3-rc1.patch: line 6: syntax error near unexpected token `const'
./grsecurity-glibc-2.3.3-rc1.patch: line 6: ` fill_in_uparams (const struct argp_state *state)'

& this


[root@FrancoShells ps]# patch -pX < ../grsecurity-glibc-2.3.3-rc1.patch
-bash: ../grsecurity-glibc-2.3.3-rc1.patch: No such file or directory
[root@FrancoShells ps]# patch -pX < ./grsecurity-glibc-2.3.3-rc1.patch
patch: **** strip count X is not a number

tziku wrote:[root@FrancoShells ps]# ./grsecurity-glibc-2.3.3-rc1.patch | patch -p 0 or -p 1 -p 2
diff: glibc-2.3.3-virgin/argp/argp-help.c: No such file or directory
diff: glibc-2.3.3/argp/argp-help.c: No such file or directory
./grsecurity-glibc-2.3.3-rc1.patch: line 2: ---: command not found
./grsecurity-glibc-2.3.3-rc1.patch: line 3: +++: command not found
./grsecurity-glibc-2.3.3-rc1.patch: line 4: @@: command not found
./grsecurity-glibc-2.3.3-rc1.patch: line 5: static: command not found
./grsecurity-glibc-2.3.3-rc1.patch: line 6: syntax error near unexpected token `const'
./grsecurity-glibc-2.3.3-rc1.patch: line 6: ` fill_in_uparams (const struct argp_state *state)'

& this


[root@FrancoShells ps]# patch -pX < ../grsecurity-glibc-2.3.3-rc1.patch
-bash: ../grsecurity-glibc-2.3.3-rc1.patch: No such file or directory
[root@FrancoShells ps]# patch -pX < ./grsecurity-glibc-2.3.3-rc1.patch
patch: **** strip count X is not a number

i think, that you should learn something about Linux before you start serving shell accounts for abusers Anyway.. first maybe learn yourself how to read examples. Greets and enjoy your learning.