grsecurity forums

http://pastebin.ca/2852871

Might be useful if you're setting up a box and don't want to be bothered finding it out yourself programme by programme

Code: Select all

#!/bin/sh
### BEGIN INIT INFO
# Provides:          stupfc
# Required-Start:
# Required-Stop:
# Default-Start:
# Default-Stop:
# Short-Description: Sets permissions for PAX sensitive programs
# Description:
### END INIT INFO
/bin/echo "Starting Stupf-client script"
/sbin/bastille-netfilter start
chmod 755 /usr/bin/ssh
chmod 755 /usr/bin/scp
#mount /usr -o remount,rw
chown root:r00t /usr/bin/nmap
chmod 4750 /usr/bin/nmap
chown root:r00t /usr/bin/traceroute
chmod 4750 /usr/bin/traceroute
chown root:r00t /usr/bin/mtr
chmod 4750 /usr/bin/mtr
chown root:r00t /usr/bin/traceproto
chmod 4750 /usr/bin/traceproto
chown root:r00t /bin/su
chmod 4750 /bin/su
chown root:r00t /bin/sudo
chmod 4750 /bin/sudo
chown root:r00t /bin/ping
chmod 4750 /bin/ping
chown root:r00t /bin/ping6
chmod 4750 /bin/ping6
chown root:r00t /bin/mount
chmod 4750 /bin/mount
chown root:r00t /bin/mount.*
chmod 4750 /bin/mount.*
chown root:r00t /bin/umount
chmod 4750 /bin/umount
chown root:r00t /bin/umount.*
chmod 4750 /bin/umount.*
chown root:r00t /
chmod u=rwx /
chmod g=rx /
chmod o=x /
chown root:r00t /home
chmod u=rwx /home
chmod g=rx /home
chmod o=x /home
chown root:r00t /etc
chmod u=rwx /etc
chmod g=rx /etc
chmod o=x /etc
modprobe fuse
#mount /usr -o remount,ro

/bin/echo "Making /var/log/ directories and files for Tor"
mkdir /var/log/tor
chown debian-tor:r00t /var/log/tor

chmod u=rwx /var/log/tor
chmod g=rx /var/log/tor
chmod o= /var/log/tor

touch /var/log/tor/log
chown debian-tor:r00t /var/log/tor/log
chmod 740 /var/log/tor/log


/sbin/chpax -p /etc/X11/X
/sbin/chpax -pms /usr/games/q3map2
/sbin/chpax -pms /usr/games/q3map2.big
/sbin/chpax -pms /usr/games/q3map2.bigvis
/sbin/chpax -pms /usr/games/q3map2.bigvisdivpatched
/sbin/chpax -pms /usr/games/q3map2.bigvisdivpatchedmoreplanes
/sbin/chpax -pms /usr/games/q3map2.bigvisdivpatchedmoreplanes2
/sbin/chpax -pms /usr/games/q3map2.bigvisdivpatchedmoreplanes2moresurfaceverts
/sbin/chpax -pms /usr/games/q3map2.big-vis-tjunc-ent
/sbin/chpax -pms /usr/games/q3map2.normal
/sbin/chpax -pms /usr/games/q3map2.x86
/sbin/chpax -p /usr/games/tdfsb
/sbin/chpax -p /usr/bin/timidity
/sbin/chpax -m /usr/bin/vba
/sbin/chpax -p /usr/bin/VisualBoyAdvance
/sbin/chpax -p /usr/bin/gij-4.1
/sbin/chpax -p /usr/games/neverball
/sbin/chpax -p /usr/games/neverputt
/sbin/chpax -p /usr/bin/gmplayer
/sbin/chpax -p /usr/lib/openoffice/program/*
/sbin/chpax -p /usr/bin/sweep
/sbin/chpax -p /usr/bin/muse
/sbin/chpax -p /usr/bin/ogg123
/sbin/chpax -p /usr/bin/oggenc
/sbin/chpax -p /usr/share/games/vultureseye/vultureseye
/sbin/chpax -p /usr/share/games/vulturesclaw/vulturesclaw
/sbin/chpax -rm /usr/lib/iceape/iceape-bin
/sbin/chpax -rm /usr/lib/iceweasel/firefox-bin
/sbin/chpax -r /usr/lib/xulrunner-8.0/plugin-container
/sbin/chpax -r /usr/lib/xulrunner*/plugin-container
/sbin/chpax -r /usr/bin/gtk-gnash
/sbin/chpax -pmrxs /usr/sbin/grub-setup
/sbin/chpax -pmrxs /usr/sbin/grub-probe
/sbin/chpax -pmrxs /usr/sbin/grub-mkdevicemap
/sbin/chpax -m /usr/bin/xlock
/sbin/chpax -m /usr/bin/xlockmore
/sbin/chpax -m /usr/bin/galeon
/sbin/chpax -m /home/r00t/stuff/gtkradiant/NetRadiant/install//radiant.x86
/sbin/chpax -psr /home/r00t/tor-browser_en-US/App/Firefox/firefox
/sbin/chpax -psr /home/r00t/tor-browser_en-US/App/Firefox/firefox-bin
/sbin/chpax -psr /home/r00t/newtor-browser_en-US/tor-browser_en-US/Browser/firefox
/sbin/chpax -spEmrx /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/java
/sbin/chpax -m /usr/lib32/wine-unstable/wine-preloader
/sbin/chpax -pemrxs /usr/bin/grub-script-check
/sbin/chpax -ps /usr/bin/wireshark

/bin/echo "Freeing GCC from PAX shackles"
/sbin/chpax -pemrxs /usr/bin/make
/sbin/chpax -pemrxs /usr/bin/g++
/sbin/chpax -pemrxs /usr/bin/g++-4.1
/sbin/chpax -pemrxs /usr/bin/g++-4.4
/sbin/chpax -pemrxs /usr/bin/g++-4.4.4
/sbin/chpax -pemrxs /usr/bin/g++-4.6
/sbin/chpax -pemrxs /usr/bin/gcc
/sbin/chpax -pemrxs /usr/bin/gcc-3.4
/sbin/chpax -pemrxs /usr/bin/gcc-4.1
/sbin/chpax -pemrxs /usr/bin/gcc-4.4
/sbin/chpax -pemrxs /usr/bin/gcc-4.4.4
/sbin/chpax -pemrxs /usr/bin/gcc-4.6
/sbin/chpax -pemrxs /usr/lib/gcc/*/*/cc1
/sbin/chpax -pemrxs /usr/lib/gcc/*/*/cc1plus
/sbin/chpax -pemrxs /usr/lib/gcc/*/*/collect2
/sbin/chpax -pemrxs /usr/lib/gcc/i486-linux-gnu/3.4.6/cc1
/sbin/chpax -pemrxs /usr/lib/gcc/i486-linux-gnu/4.1.2/cc1
/sbin/chpax -pemrxs /usr/lib/gcc/i486-linux-gnu/4.4/cc1
/sbin/chpax -pemrxs /usr/lib/gcc/i486-linux-gnu/4.4.4/cc1
/sbin/chpax -pemrxs /usr/lib/gcc/i486-linux-gnu/3.4.6/cc1plus
/sbin/chpax -pemrxs /usr/lib/gcc/i486-linux-gnu/4.1.2/cc1plus
/sbin/chpax -pemrxs /usr/lib/gcc/i486-linux-gnu/4.4/cc1plus
/sbin/chpax -pemrxs /usr/lib/gcc/i486-linux-gnu/4.4.4/cc1plus
/sbin/chpax -pemrxs /usr/lib/gcc/i486-linux-gnu/3.4.6/collect2
/sbin/chpax -pemrxs /usr/lib/gcc/i486-linux-gnu/4.1.2/collect2
/sbin/chpax -pemrxs /usr/lib/gcc/i486-linux-gnu/4.4/collect2
/sbin/chpax -pemrxs /usr/lib/gcc/i486-linux-gnu/4.4.4/collect2

/sbin/chpax -pemrxs /usr/local/bin/ld
/sbin/chpax -pemrxs /usr/bin/ld
/sbin/chpax -pemrxs /usr/bin/ld86
/sbin/chpax -pemrxs /usr/bin/ldrdf
/sbin/chpax -pemrxs /usr/bin/ldd
/sbin/chpax -pemrxs /usr/bin/lddlibc4
/sbin/chpax -pemrxs /usr/bin/gdb
/bin/echo "Finished Freeing GCC from PAX shackles"

/bin/echo "Finished Stupf-client script"


Another to add to the pile:

/sbin/chpax -m /usr/bin/mono

Just a n00b to grsec but i'd like to learn by discussion.

IMHO This approach mostly overlaps with the implementation of an evolved grsec policy
IMHO pax flags survive reboots, right ? Arbitrary changes to previously set permissions should not happen, also think of grsec policy to enforce them
IMHO secure log the permissions for the files concerned to a secure log destination at boot, validate there, take action and report based on these checks

jlambrecht wrote:Just a n00b to grsec but i'd like to learn by discussion.

IMHO This approach mostly overlaps with the implementation of an evolved grsec policy
IMHO pax flags survive reboots, right ? Arbitrary changes to previously set permissions should not happen, also think of grsec policy to enforce them
IMHO secure log the permissions for the files concerned to a secure log destination at boot, validate there, take action and report based on these checks

There are two ways to store pax flags for a binary. Traditional way: PT_PAX, gets stored along with the binary - requires modification of the toolchain to produce suitable ELF. Upcoming way: XATTR_PAX, flags stored as an extended attribute - requires file system with EA support and all archive tools should take care of the EA as well. These flags are stored on the HDD, so pax flags should survive reboots. As you've already mentioned, pax flags can also be toggled by loading a grsecurity policy in which you defined them for a given binary - I'm not sure in this case the flag applies only for the role you've set the flag for, or for every role. There's also a precedence structure. I can't remember right now which one takes precedence over the other (policy vs PT vs XATTR). It has been mentioned somewhere. If you update a package, which overwrites a binary you've set a pax flag on previously, you have to reapply your flags on the binary.
Note, that chpax is very outdated. Paxctl is also obsolete. Please use paxctl-ng.

BR: Dw.

Thanks for the insightful comment. I'll check up on paxctl-ng again.

Honestly, where do i get paxctl-ng, no sources are to be found ?

Just spent quite a bit of time on search for the vanilla source for paxctl-ng , these are nowhere to be found ? I could install a VM, install gentoo and emerge from there but that is honestly too much of the bizar for me. It would be awesome if this was to be available from the grsecurity.net page.

paxctl v0.9 2014.09.02 19:50 GMT new PaX control program when you use the PT_PAX_FLAGS marking available in PaX patches after 2004.02.04 (highly recommended). supports alpha, i386, ia64, mips, mips64, parisc, ppc, ppc64, sparc, sparc64 and x86_64.

Why would i need paxctl-ng which does not seem supported by any other distro but gentoo ? Though such could be a merit rather than a downside.

paxctl-ng is part of the elfix package: http://dev.gentoo.org/~blueness/elfix/ . other than that, paxctl itself is not obsolete at all, i still maintain it and it is the canonical tool to manage PT_PAX_FLAGS. paxctl-ng was written to easy the transition between the ELF header marking and xattrs, if you only use one or the other (as recommended) then you'll only need paxctl or setfattr/getfattr from the attr package.