grsecurity forums

[ethan@plaxo.com]

Why is their a certain set of rules that are required? Such as, if I only include:

Code: Select all

/ {
   / rwx
   /dev
   /boot h
   /etc/grsec h
}


Why does it not let me apply this ruleset? I could see printing warnings to the screen about how this isn't optimal, but why not allow it to happen anyway?

Thanks,
Ethan

[spender]

Because people would do just what you would have done. Continued to allow the system to be loaded. I've carefully selected what I enforced. Each is done for a reason: to ensure that you're not using the system in a way that would give a false sense of security.

-Brad

[ethan@plaxo.com]

Continued to allow the system to be loaded. I've carefully selected what I enforced.

I guess if I want to use a different subset, because there are different things that _I_ think are truely important I could use a different system. No knock at all, grsecurity is by far the best product I've tried.

Thanks.

[spender]

It's not a matter of what you think is important. What I'm telling you is fact. If you were to use the system without having those base restrictions in there, you're just fooling yourself as to the security of the system. I try in the error messages to give at least some reason why you need those things enforced, but there are many more reasons.

Though definitely, if you want a false sense of security, there are many other systems out there that can give you that.

-Brad

[ethan@plaxo.com]

Though definitely, if you want a false sense of security, there are many other systems out there that can give you that.

At least one of the mandatory rules doesn't apply globally. We don't allow 'su' on our systems, only sudo. Our systems also don't have heads on them so console login isn't viable. So root's environment isn't of consequence, as such the restriction on /root being read-only doesn't apply. That's what I meant by "what I believe to be needed".

We usually use the /root directory to store certain files (such as installation packages) that we install on a given system. This policy can and will have to be changed.

Thanks,
Ethan

[spender]

Whether you have console access or not is irrelevant. Were you aware that an attacker can completely subvert the security of the system by modifying your shell configurations in /root, so that you execute a trojaned gradm, for example, giving them the authentication password?

-Brad

[spender]

Also, software installation should be done through administration mode. It would be silly to set up the ACL system in such a way that anyone with root could modify binaries on the system.

-Brad

[ethan@plaxo.com]

The /root shell configuration isn't used is my point. So they can subvert it all they want and it will be of no regard. We don't have any sbin directories in our path, so we are forced to execute things like:

/sbin/gradm
-or-
/sbin/ifconfig

Also software installation isn't being done as a non-root user, it's simply a nice storage area that is out of reach of non-root users, due to Unix filesystem permissions.

I'm done with this topic. I'm going to move our software somewhere else, no big deal.
Thanks for your time.