Newbie question - root user and grsecurity

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Newbie question - root user and grsecurity

Postby DirtyHarry » Tue Feb 06, 2007 10:41 pm

I am sorry to bother with a stupid question.

I have finally decided to try grsec on my remotely hosted machine running RHEL 4.

I read the quickstart guide, and I arrived to the point in which I was told not to run any command as root during learning mode. This is obvious, but what I do not understand is - after the learning phase, how will I be able to admin my machine if even the root user will be limited? What am I missing?

Thanks and sorry again for the newbieish question!
DirtyHarry
 
Posts: 11
Joined: Thu Jan 18, 2007 2:31 pm

Role Admin

Postby hmhansolo » Tue Feb 06, 2007 11:51 pm

Hello,
FYI. You can learn this from reading the forums/docs/example config...

But, basically, you have this thing called special roles. So, you can create an authenticated special role called admin. Then you give a password to this role. You can then allow the admin role to do everything.

That way, when you are root, you won't be able to do much, except to use gradm. Using gradm, you login as the role admin with the required password. Then, you should be able to do everything.

To figure out the actual details to do the above, please look in the example config, `gradm --help`, the docs, and the forums..

Thanks.
hmhansolo
 
Posts: 32
Joined: Mon Jan 10, 2005 9:15 pm

Roles Addendum

Postby hmhansolo » Tue Feb 06, 2007 11:54 pm

FYI. If you are highly paranoid.. you can actually create a role called admin, and do learning on that role. Then you can do stuff that you would normally do as admin like `/etc/init.d/XXX start`, etc... and then use gradm to create a policy for the admin role using the learning log.

That way you can give the admin enough priveleges to do what is needed, but not enuff for a bad program or trojan to mess up your system.


If you are further paranoid or working on a multi-admin system, you can create multiple roles.. for different admining needs..

an admin role for mysql, an admin role for apache, an admin role for checking logs, etc... each with their own passwords and their own acls... the acl's will restrict each role to do only what that role is required to do..

fantastic, eh?

--hmhansolo
hmhansolo
 
Posts: 32
Joined: Mon Jan 10, 2005 9:15 pm

Postby DirtyHarry » Wed Feb 07, 2007 3:50 pm

Thanks a lot! I am going to try grsecurity soon then, I will probably just wait for a patch for the latest kernel!
DirtyHarry
 
Posts: 11
Joined: Thu Jan 18, 2007 2:31 pm


Return to grsecurity support

cron