LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-23-2002, 09:39 PM   #1
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Rep: Reputation: 30
advantages of grsecurity?


When I came onto this site I noticed the release of the lq3 kernel. No I read that grsecurity was put into and I read up on it a a little and though to myself "Why would anyone really need this?" or at least why would a beginner need this. So could anyone kick me in the head and then explain this to me? I'd rather have a patch that hardened alot of the default kernel's dumb stack overflow vulnerabilities. Instead of an ACL system.

--tarballedtux





P.S. That stinks about your car Trickykid. Can you tell I'm bored.

Last edited by tarballedtux; 09-23-2002 at 09:41 PM.
 
Old 09-23-2002, 10:08 PM   #2
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 199Reputation: 199
Re: advantages of grsecurity?

Quote:
Originally posted by tarballedtux
P.S. That stinks about your car Trickykid. Can you tell I'm bored.
You must be bored then checking out my own site. Oh by the way, there is another thread about this same topic that jeremy replied to.
 
Old 09-24-2002, 05:48 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,543
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Re: advantages of grsecurity?

"Why would anyone really need this?" or at least why would a beginner need this.

Because it is the least painfull option around to patch the kernel to enable your system to run with better security features (if configured well, ofcourse). (note to self: put up annotated sysctl)

I'd rather have a patch that hardened alot of the default kernel's dumb stack overflow vulnerabilities. Instead of an ACL system.
Grsecurity isn't solely an ACL system. Read Documentation/Configure.help for the Grsecurity options.

Here's some curbing potential BO holes:
Openwall Non-executable Stack (STACK)
Deny your system from executing code on the stack leaving only a few other ways to try and exploit running code.

Full Address Space Layout Randomization (RANDMMAP)
Randomize address layout for programs per execution.

Deny access to /dev/kmem (KMEM)
Like it sez. See wellknown LKM docs by Silvio Cesare.

Proc Restrictions (PROC.* options)
Deny/restrict access to /proc against processes/users snooping around. Merged from Solar Designers OpenWall patches.

Deny * in chroot (.*CHROOT options)
Makes it harder to break out of chroots.

Trusted path execution (TPE)
Deny running executables outside the system's $PATH

Randomized * (RAND.* options)
Randomize PID's for instance.

Deny * socket access (SOCKET.* options)
Like it sez. Deny creation of (client|server) sockets for certain users.

And *then* there's the ACL system...

HTH.
 
Old 09-24-2002, 09:09 AM   #4
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Original Poster
Rep: Reputation: 30
Are the non-ACL options of grsecurity (The ones you mentioned) Sane patches that won't interfere at all with the normal operational of my box? That would be great if the patches didn't change they way I operate my box, but stop easy exploits.

--tarballedtux
 
Old 09-24-2002, 10:29 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,543
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
I don't know how you operate your box, so I don't know what kind of interference you're suspecting, but Grsec applies cleanly (ie no .rej's) to a current clean kernel source. Unlike with other CVS projects even CVS versions of Grsec should run cleanly because they're tested and run *before* committing.

Yes, they're sane patches. Haven't had any real trouble running Grsec the last 1.5 yrs on both 2.2x, 2.4x, UNI and SMP.
 
Old 09-24-2002, 05:58 PM   #6
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Original Poster
Rep: Reputation: 30
Alright so I'm grsecurity is not so bad. What do the rmap and O(1) scheduler do? A Google query is not helping me find any information.

--tarballedtux
 
Old 09-25-2002, 05:33 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,543
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Tbt, you shouldn't tack on OT questions, add a new thread, and since it ain't about security, it should be in /General.
For scheduler Google for "linux scheduler" or "Ingo Molnar scheduler". He's at people.redhat.com/~ingo or something like that, for rmap Google for "Rik van Riel rmap" and or look at surriel.com. Major sites like LWN do carry trheads from the kernel mailinglists or review new kernel features so it would be weird if nuttin's showin up.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
GRsecurity dbi Slackware 6 08-29-2006 12:50 AM
grsecurity and 2.6.11.7 houler Slackware 2 05-07-2005 03:21 AM
GRSecurity Obie Linux - Security 6 05-31-2004 09:27 PM
GRsecurity and Mandrake subzero0 Mandriva 1 05-31-2004 09:06 PM
Slackware 9 and GRSECURITY cheapact Slackware 1 06-08-2003 10:27 AM


All times are GMT -5. The time now is 04:29 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration