grsecurity forums

by **smith** » Tue Aug 06, 2002 11:35 am

hello,
i just noticed that in grsec 1.9.6 the default values of the options in /proc/sys/kernel/grsecurity is "0", in 1.9.5 it was "1" ... i was confused a short time but just wrote a init script for it ...

i didnt have any of the other problems other ppl just posted.

philipp

by **decoder** » Fri Sep 13, 2002 11:50 am

do i have to echo 1 > /proc/sys/kernel/grsecurity/function to enable the function for every function i want? i thought the grsecurity functions are enabled by default. (?) *confused* :P

by **torne** » Fri Sep 13, 2002 12:56 pm

If you enable sysctl support in the kernel, then all options default to off.
You then are supposed to use an init script to set the ones you want to on, and then set grsec_lock to 1, which will prevent any sysctl options from being changed (even by root).

If you don't enable sysctl support in the kernel, then all options you chose to compile in are turned on all the time and cannot be disabled.

There are one or two options which do not have a sysctl option (check their configure help text) and these will always be enabled whether sysctl support is on or not (like PaX).

Only recent version of grsecurity work this way - 1.9.5 defaulted to 1 even with sysctl enabled, as smith saw.

Hope this clears up any confusion!

Torne

by **decoder** » Fri Sep 13, 2002 2:36 pm

jepp, it does indeed :D thank you very much. but I think, a readme should be shipped with grsecurity, so things like that are clearly stated in there.

thnx and cu
decoder

by **msi** » Sat Sep 14, 2002 10:50 am

do you really need to set grsec_lock to 1.
if you have grsec with gradm -E enabled you
can't change the data there even as root.

by **torne** » Sat Sep 14, 2002 11:59 am

Technically, no, if the ACL system is protecting it. In practise, do set grsec_lock unless you anticipate really needing to change those settings at runtime. It's an extra layer of protection in case of some problem.

Not locking the settings gives you the ability to change them at runtime using admin mode.

Torne

by **msi** » Sat Sep 14, 2002 12:12 pm

but if somebody's using admin mode it doesnt matter whether he changes
settings or not, he can do everything.

by **torne** » Sun Sep 15, 2002 11:10 am

No - you still cannot change the settings in admin mode if grsec_lock is on. I'm not suggesting this as a security measure in case someone gets admin mode (because you're stuffed if that happens) - I'm suggesting it in case there is a problem with your ACLs or something similar which allows some non-admin mode access to /proc/sys/kernel/grsecurity.

Torne

by **spender** » Sun Sep 15, 2002 12:24 pm

the reason why it defaults to off is because of the gid-based features. If you set it to a specific value in the kernel, it will use that every time at boot until you change it. You might need something to run with that gid before you set the sysctl entries, so it would cause problems. The lock was really designed for people not using the acl system (as it was designed when we had no acl system) By default the acl system protects everything in /proc/sys, and there shouldn't be any program that needs to access that.

-Brad