grsecurity forums

by **Defcon7** » Sat Aug 27, 2005 4:53 am

Hi all,
i'm using grsec on a production server with kernel 2.6.11.12, i need to allow an user (which runs cacti, an rdd tool) to view all processes logged in users and other user-hidden stuff.

I placed the user in the Special group i defined in kernel config(GRKERNSEC_PROC_USERGROUP), but the user is still unable to view all parameters, theres something else to do ? Reboot ?

Regards,
Giacomo.

by **Defcon7** » Thu Aug 31, 2006 1:44 am

UP!

After an year I'm still having the same problem.
now i'm running linux-2.6.17.8 and the special group gid is 112...

Code: Select all: 08:22:47 [root@spawn]:/usr/src/linux# uname -a Linux spawn 2.6.17.8-grsec-nectarine #1 SMP Fri Aug 25 23:16:25 CEST 2006 i686 GNU/Linux 08:22:51 [root@spawn]:/usr/src/linux# grep PROC_GID .config CONFIG_GRKERNSEC_PROC_GID=112 08:23:11 [root@spawn]:/usr/src/linux# sudo -u nagios id uid=112(nagios) gid=112(nagios) groups=112(nagios) 08:23:22 [root@spawn]:/usr/src/linux# sudo -u nagios ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND nagios 10086 0.0 0.0 4036 712 pts/5 R+ 08:23 0:00 ps aux

(a lil bit less) Regards,
Giacomo.

by **spender** » Thu Aug 31, 2006 2:34 pm

Can you send me your .config ? Are there any other modifications to the kernel other than grsec? I'm using the same configuration here with no problems. What does an ls -ald /proc/1 (as root) look like?

-Brad

by **spender** » Fri Sep 01, 2006 5:50 pm

How were you able to enable both CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP in your config? It's not possible to enable both of these through make menuconfig, since enabling one disables your ability to even see the other option. Anyways, that's definitely the cause of your problem. Disable CONFIG_GRKERNSEC_PROC_USER.

-Brad

by **Defcon7** » Sat Sep 02, 2006 2:28 am

I've tried a fresh build of vanilla+the latest grsec and it is possible to select both options by default, selecting "Security level medium" enables CONFIG_GRKERNSEC_PROC_USERGROUP and it is still possible to check the box of CONFIG_GRKERNSEC_PROC_USER under Filesystem Protections.

Reading the help for both options they look complementary:

CONFIG_GRKERNSEC_PROC_USER:
If you say Y here, non-root users will only be able to view their own processes, and restricts them from viewing network-related information, and viewing kernel symbol and module information.

CONFIG_GRKERNSEC_PROC_USERGROUP:
If you say Y here, you will be able to select a group that will be able to view all processes, network-related information, and kernel and symbol information. This option is useful if you want to run identd as a non-root user.

CONFIG_GRKERNSEC_PROC_USERGROUP Looks as a group override to the restrictions applied by CONFIG_GRKERNSEC_PROC_USER.

CONFIG_GRKERNSEC_PROC_USERGROUP Doesnt says that it will hidden processes and other infos to non-root users, so it looks as a complement to CONFIG_GRKERNSEC_PROC_USERGROUP.

Anyway, i tried unchecking CONFIG_GRKERNSEC_PROC_USER and everything works fine.

Thank you for your help and your efforts in developing grsec.

Giacomo Di Ciocco.