Read only /root.
Posted: Thu Apr 03, 2003 7:06 am
This new restriction is very intrusive. I try and use as much a non-privaledged access as possible when doing system administration. By requiring it to be read only I have to go into gradm administration mode to do anything in the root directory. Isnt this counter productive from a security stand point to always be doing things at the lowest security level?
The path exploitation issue is valid but there must be some better way to work around this. Perhaps by requiring gradm to make sure its being invoked by a absolute path "/sbin/gradm" rather than just "gradm".
This would teach people of the vulnerability and require them to take countermeasures against it without raising 50 other issues by requiring /root to be read only.
That or simply modify grsecurity so that it will ONLY run a process named "gradm" when it is located in /sbin. Path/trojan issue fixed.
-TGK
The path exploitation issue is valid but there must be some better way to work around this. Perhaps by requiring gradm to make sure its being invoked by a absolute path "/sbin/gradm" rather than just "gradm".
This would teach people of the vulnerability and require them to take countermeasures against it without raising 50 other issues by requiring /root to be read only.
That or simply modify grsecurity so that it will ONLY run a process named "gradm" when it is located in /sbin. Path/trojan issue fixed.
-TGK