grsecurity forums

[phlack]

I was reviewing the symlink attack protection afforded by a couple different products and I noticed some similarities between this setting and Cloudlinux' SecureLinks. My question: Is it necessary to set this enforce_symlinksifowner equal to 2 when using mod_ruid2?

http://docs.cloudlinux.com/index.html?securelinks.html

I'm working on a script to detect protections and this is a piece of it I need to verify.

Thanks!!

[spender]

The reason why "CloudLinux SecureLinks" looks very similar to grsecurity's feature is they copied it verbatim from grsecurity (while of course renaming it so it looks like they designed it) and added the trivial check of gid > someval for the enforce_symlinksifowner == 2 case.

I'm not a user of mod_ruid2 so I don't know if this == 2 case is necessary. No user has reported it to me, but if it's necessary as I mentioned it's a very trivial change.

-Brad

[phlack]

That was what I was thinking. It didn't seem like it would even make that large of a difference. I'd like to hear from someone that's tried mod_ruid2 with grsec's standard settings to see if it works well with "1". I haven't been able to find any information on it. So, my thinking was that there was only some edge case this might have been added for if for any reason at all. Beyond that, it seemed to me as if there was probably no significant code level difference. I appreciate your time. I'm really liking how grsec does things. This is my first experience with it, and, hopefully, I'll be able to work with it some more.