grsecurity forums

[evilangel]

Hi all,

After setting up the admin password with gradm:
gradm -P
the file /etc/grsec/pw is generated.
However, this file is readable by root.

Finally, how gradm protects its own secret against corruption ?

Thanks

[spender]

With the RBAC system disabled, you have more to worry about than just the /etc/grsec/pw file being readable as root.
When the RBAC system is enabled, however, here are just a few of the ways:
The /etc/grsec/pw file is protected by default when the RBAC system is enabled through enforced policy rules (you won't be able to load a policy if a default subject is able to read /etc/grsec/pw).
Even gradm itself when the RBAC system is enabled is disallowed from accessing anything in /etc/grsec.
Password entry attempts are rate limited and denials are logged.
Modifications to /etc/grsec/pw even by an admin role while the RBAC system is enabled don't affect the current password set that exists in kernel memory.
Checks are made for terminal sniffers before any password prompt is given.
No process started by anyone else logged in as you will be able to ptrace your processes.
/root is enforced to be non-writable by default subjects as well, to prevent tampering with shell configuration (modification of your PATH, etc).

-Brad

[evilangel]

Thanks for these precious information.

[spender]

I should also add the learning mode of the RBAC system will automatically generate policies that keep files in /etc/grsec protected from reading or modification.

-Brad