/proc/sys/kernel/grsecurity

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

/proc/sys/kernel/grsecurity

Postby smith » Tue Aug 06, 2002 11:35 am

hello,
i just noticed that in grsec 1.9.6 the default values of the options in /proc/sys/kernel/grsecurity is "0", in 1.9.5 it was "1" ... i was confused a short time but just wrote a init script for it ...

i didnt have any of the other problems other ppl just posted.

philipp
smith
 
Posts: 6
Joined: Thu Apr 25, 2002 3:30 am

Postby decoder » Fri Sep 13, 2002 11:50 am

do i have to echo 1 > /proc/sys/kernel/grsecurity/function to enable the function for every function i want? i thought the grsecurity functions are enabled by default. (?) *confused* :P
decoder
 
Posts: 8
Joined: Sat Sep 07, 2002 10:08 pm

Postby torne » Fri Sep 13, 2002 12:56 pm

If you enable sysctl support in the kernel, then all options default to off.
You then are supposed to use an init script to set the ones you want to on, and then set grsec_lock to 1, which will prevent any sysctl options from being changed (even by root).

If you don't enable sysctl support in the kernel, then all options you chose to compile in are turned on all the time and cannot be disabled.

There are one or two options which do not have a sysctl option (check their configure help text) and these will always be enabled whether sysctl support is on or not (like PaX).

Only recent version of grsecurity work this way - 1.9.5 defaulted to 1 even with sysctl enabled, as smith saw.

Hope this clears up any confusion!

Torne
torne
 
Posts: 54
Joined: Mon Aug 12, 2002 12:52 pm

Postby decoder » Fri Sep 13, 2002 2:36 pm

jepp, it does indeed :D thank you very much. but I think, a readme should be shipped with grsecurity, so things like that are clearly stated in there.

thnx and cu
decoder
decoder
 
Posts: 8
Joined: Sat Sep 07, 2002 10:08 pm

Postby msi » Sat Sep 14, 2002 10:50 am

do you really need to set grsec_lock to 1.
if you have grsec with gradm -E enabled you
can't change the data there even as root.
msi
 
Posts: 29
Joined: Fri Sep 13, 2002 2:37 pm

Postby torne » Sat Sep 14, 2002 11:59 am

Technically, no, if the ACL system is protecting it. In practise, do set grsec_lock unless you anticipate really needing to change those settings at runtime. It's an extra layer of protection in case of some problem.

Not locking the settings gives you the ability to change them at runtime using admin mode.

Torne
torne
 
Posts: 54
Joined: Mon Aug 12, 2002 12:52 pm

Postby msi » Sat Sep 14, 2002 12:12 pm

but if somebody's using admin mode it doesnt matter whether he changes
settings or not, he can do everything.
msi
 
Posts: 29
Joined: Fri Sep 13, 2002 2:37 pm

Postby torne » Sun Sep 15, 2002 11:10 am

No - you still cannot change the settings in admin mode if grsec_lock is on. I'm not suggesting this as a security measure in case someone gets admin mode (because you're stuffed if that happens) - I'm suggesting it in case there is a problem with your ACLs or something similar which allows some non-admin mode access to /proc/sys/kernel/grsecurity.

Torne
torne
 
Posts: 54
Joined: Mon Aug 12, 2002 12:52 pm

Postby spender » Sun Sep 15, 2002 12:24 pm

the reason why it defaults to off is because of the gid-based features. If you set it to a specific value in the kernel, it will use that every time at boot until you change it. You might need something to run with that gid before you set the sysctl entries, so it would cause problems. The lock was really designed for people not using the acl system (as it was designed when we had no acl system) By default the acl system protects everything in /proc/sys, and there shouldn't be any program that needs to access that.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support

cron