debian desktop
5 posts
• Page 1 of 1
debian desktop
by az86 » Tue Nov 10, 2009 7:08 pm
Is possible to run grsec on debian desktop? i compile grsec with high security and my gnome doesnt starts :(
- az86
- Posts: 2
- Joined: Tue Nov 10, 2009 5:39 pm
Re: debian desktop
by specs » Wed Nov 11, 2009 1:46 am
It is possible to install grsecurity on a Desktop, I have it working here on stable (Lenny) and unstable (Sid) pc's.
I haven't heard of specific problems with desktop managers yet. Gdm works without problem here, but I don't use the Gnome desktop manager myself.
A few hints to start:
- Before starting take the time to read all the comments in "make menuconfig" for all options. You probably need to select "custom" instead of "high security" for that purpose.
- If you don't read all the information make sure to at least read the QuickStart Guide from a to z (http://www.grsecurity.org/papers.php)
- Did you select "Disable privileged I/O"? (disable it for X).
- Did you change the group numbers? (The default group numbers used by Debian start at 1000, the special groups in grsecurity also start at 1000, I normally choose the special groups in the 200x numbers).
- Have you installed paxctl already (debian package available in usual repositories)?
- Check all the grsecurity options in sysctl, they are enabled by default but they can be altered until you set kernel.grsecurity.grsec_lock = 1 (last line in /etc/sysctl when you have a stable system).
If nothing works disable the starting of gdm in runlevel 2 (/etc/rc2.d), start the pc and start gdm from the prompt as root.
When it fails check dmesg and /var/log/Xorg.0.log for hints.
Grsecurity is known to possibly break applications. I suggest you configure your bootloader to start different versions of the kernel and start with low or medium security first. Instead of "high security" I usually choose "custom", but I think most high security options are enabled on my systems.
I haven't heard of specific problems with desktop managers yet. Gdm works without problem here, but I don't use the Gnome desktop manager myself.
A few hints to start:
- Before starting take the time to read all the comments in "make menuconfig" for all options. You probably need to select "custom" instead of "high security" for that purpose.
- If you don't read all the information make sure to at least read the QuickStart Guide from a to z (http://www.grsecurity.org/papers.php)
- Did you select "Disable privileged I/O"? (disable it for X).
- Did you change the group numbers? (The default group numbers used by Debian start at 1000, the special groups in grsecurity also start at 1000, I normally choose the special groups in the 200x numbers).
- Have you installed paxctl already (debian package available in usual repositories)?
- Check all the grsecurity options in sysctl, they are enabled by default but they can be altered until you set kernel.grsecurity.grsec_lock = 1 (last line in /etc/sysctl when you have a stable system).
If nothing works disable the starting of gdm in runlevel 2 (/etc/rc2.d), start the pc and start gdm from the prompt as root.
When it fails check dmesg and /var/log/Xorg.0.log for hints.
Grsecurity is known to possibly break applications. I suggest you configure your bootloader to start different versions of the kernel and start with low or medium security first. Instead of "high security" I usually choose "custom", but I think most high security options are enabled on my systems.
- specs
- Posts: 190
- Joined: Sun Mar 26, 2006 7:00 am
Re: debian desktop
by Grach » Wed Nov 11, 2009 1:48 am
If specs' advise won't help, also use paxctl (or chpax) to set -m flag to the Xorg binary - your video driver may require it to execute some code from the video BIOS.
- Grach
- Posts: 66
- Joined: Thu Feb 05, 2009 11:15 pm
Re: debian desktop
by az86 » Wed Nov 11, 2009 7:58 am
I need recompile if I check
Security options, Grsecurity, Sysctl support, Sysctl support & Turn on features by default
? or how change it without recompile
Security options, Grsecurity, Sysctl support, Sysctl support & Turn on features by default
? or how change it without recompile
- az86
- Posts: 2
- Joined: Tue Nov 10, 2009 5:39 pm
Re: debian desktop
by specs » Wed Nov 11, 2009 1:08 pm
Without recompiling you could try to disable some options with sysctl.
However you'd still need to read all the documentation.
If sysctl does not work you need to recompile.
You might need to disable some or all pax-options for Xorg with paxctl.
But if the problem is really "Disable privileged I/O" I'm afraid you have to recompile.
Again and again, you'll have to read some documentation before you can improve your security.
However you'd still need to read all the documentation.
If sysctl does not work you need to recompile.
You might need to disable some or all pax-options for Xorg with paxctl.
But if the problem is really "Disable privileged I/O" I'm afraid you have to recompile.
Again and again, you'll have to read some documentation before you can improve your security.
- specs
- Posts: 190
- Joined: Sun Mar 26, 2006 7:00 am
5 posts
• Page 1 of 1