LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-23-2002, 08:53 PM   #1
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Rep: Reputation: 31
Implementing GRsecurity


After seeing the kernel patch thread, and the offer made in there, I felt I couldn't pass up on asking a few questions. Previously, I have downloaded the recent grsecurity patch and its compatible kernel (grsecurity-1.9.6-2.4.19.patch.gz and linux-2.4.19.tar.gz, respectively). I followed the installation instructions found in the documentation at http://grsecurity.net/gracldoc.htm and everything looked ok. When I ran make xconfig, the following occurred:
Code:
root@slack:/usr/src/linux# make xconfig
rm -f include/asm
( cd include ; ln -sf asm-i386 asm)
make -C scripts kconfig.tk
make[1]: Entering directory `/usr/src/linux-2.4.18/scripts'
cat header.tk >> ./kconfig.tk
./tkparse < ../arch/i386/config.in >> kconfig.tk
echo "set defaults \"arch/i386/defconfig\"" >> kconfig.tk
echo "set ARCH \"i386\"" >> kconfig.tk
cat tail.tk >> kconfig.tk
chmod 755 kconfig.tk
make[1]: Leaving directory `/usr/src/linux-2.4.18/scripts'
wish -f scripts/kconfig.tk
Application initialization failed: no display name and no $DISPLAY environment variable
Error in startup script: invalid command name "button"
    while executing
"button .ref"
    (file "scripts/kconfig.tk" line 51)
make: *** [xconfig] Error 1
I searched google for this and eventually found something about applying some extra code somewhere, but I don't feel that comfortable working with the kernel yet. So I ran make menuconfig and that loaded up fine. I didn't see any extra options implemented by grsecurity so I exited the kernel configuration without changing anything but saved the configuration. I proceeded to execute the remaining commands (make dep bzImage modules modules_install install) and change my boot loader information:
Code:
cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.19
cp System.map /boot/System.map-2.4.19

[/etc/lilo.conf]
image = /boot/vmlinuz-2.4.19
label = 2.4.19
I then ran /sbin/lilo and successfully rebooted. Everything was ok until I went to ssh into the machine. It would not let me even put in a user name. Just kept denying access. I checked to make sure sshd was running, and it was. Flushed all the firewall rules (only running iptables). So what it comes down to is:

1. Was the grsecurity patch applied, and if so, where do I access it's configuration options for the kernel?

2. How do I resolve the errors I received from executing make xconfig?

3. Why am I now locked out even though I didn't make any changes to the kernel configuration when I was in make menuconfig?

By the way, I am running Slackware 8.1
 
Old 09-23-2002, 08:57 PM   #2
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 10,389

Rep: Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626
The patch contained in -lq3 fixes the problem with make xconfig.

--jeremy
 
Old 09-23-2002, 09:46 PM   #3
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Original Poster
Rep: Reputation: 31
After not finding any documentation on installation, I am sorry to ask another question. Do I apply the 2.4.19-lq3 patch the same way that grsecurity is supposed to be applied? E.g.
Code:
tar zxvf linux-2.4.19.tar.gz
patch p0 < 2.4.19-lq3.patch
cd linux-2.4.19
make xconfig
make dep bzImage modules modules_install install
 
Old 09-24-2002, 04:08 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,285
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
To start with your most recent question, I applied the gzipped version as "gunzip -cd lq3.gz | patch -p0 -d /usr/src/linux" over a pristine kernel, if you want to verify that this works try using patch with "--dry-run" would show any errors. The rest of the kernel config/compile remains the same ofcourse.

1. Grsecurity's features are the last ones in the config. Applying the kernel patch doesn't automagically enable them unless you copy over a .config which already has been used to enable Grsecurity-1.9.6. If you did enable it's sysctl option you will find them options under /proc/sys/kernel/grsecurity. Everything there *except* acl is tweakable.
Sysctl options can be set automated by using sysctl or echoing a set of variables. Using "sysctl -e -p /etc/grsec.conf", the grsec.conf entries would look like
"kernel.grsecurity.restrict_ksyms =0" (w/o quotes).

3. If you didn't make any changes to the kernel options you already had plus you didn't post the relevant Grsecurity options you enabled in the first place, I cannot determine why the error would lie with Grsecurity.
If you have sysctl turned on for it, have a look at if any socket_.* options are enabled.
These are available to help restrict creation of (any|client|server) sockets for local users.
 
Old 09-24-2002, 09:38 AM   #5
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Original Poster
Rep: Reputation: 31
Which file to patch?

I tried applying the patch as recommended, and ran into this:
Code:
root@slack:/usr/src# gunzip -cd 2.4.19-lq3.gz | patch -p0 -d /usr/src/linux --dry-run
can't find file to patch at input line 4
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff -Nru linux-2.4.19/Documentation/Configure.help linux-2.4.19-lq/Documentation/Configure.help
|--- linux-2.4.19/Documentation/Configure.help  Fri Aug  2 18:39:42 2002
|+++ linux-2.4.19-lq/Documentation/Configure.help       Mon Sep 23 06:58:06 2002
--------------------------
File to patch:
This has happened to me once before (the first time I tried applying GRsecurity), but every time after that it had gone through a whole process and reported no errors. So I'm pretty uncertain about what needs to be done here.
 
Old 09-24-2002, 10:36 AM   #6
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 10,389

Rep: Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626
Take out the -d option from patch and make sure you have a linux-2.4.19 directory.

--jeremy
 
Old 09-24-2002, 11:33 PM   #7
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Original Poster
Rep: Reputation: 31
I am a fail of failtastic proportions

This is some crazy stuff. Here is the listing of how it went down:
[list=1][*]Downloaded linux-2.4.19.tar.gz kernel[*]Downloaded 2.4.19-lq3.gz from Linux Questions[*]Checked md5sums[*]Executed the following commands:[/list=1]
Code:
root@slack:/usr/src/$ gunzip -cd 2.4.19-lq3.gz | patch -p0
root@slack:/usr/src/$ cd linux-2.4.19
root@slack:/usr/src/linux-2.4.19$ make xconfig
At this point make xconfig failed again as it had before.
Code:
root@slack:/usr/src/linux-2.4.19$ make menuconfig
The only section I edited was 'Grsecurity', and all I did was enable stack overflow protection. Nothing else.
Code:
root@slack:/usr/src/linux-2.4.19$ make dep bzImage modules module_install install
root@slack:/usr/src/linux-2.4.19$ cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.19
root@slack:/usr/src/linux-2.4.19$ cp System.map /boot/System.map-2.4.19
root@slack:/usr/src/linux-2.4.19$ vi /etc/lilo.conf

<made following changes>
    image = /boot/vmlinuz-2.4.19
    label = 2.4.19

root@slack:/usr/src/linux-2.4.19$ /sbin/lilo
root@slack:/usr/src/linux-2.4.19$ shutdown -r now
Everything looked normal in the reboot process. Everything loaded back up. I saw it successfully start the sshd again. One note is the frame buffer was now gone. It prompted me for login so I logged in as my regular user name, and this is what happened:
Code:
No directory, logging in with HOME=/
Linux-2.4.19-lq3
Last login ... on pts/0 from clax.
No mail.
david@slack:/$
My /home directory is empty, and I am again remotely locked out (thank goodness for kvm). Now my status qualifies for completely lost + confused + frustrated. At this point I'm currently looking through google trying to find someone with similar experiences that solved the problem; but any advice, information, and resources you have would be appreciated.
 
Old 09-25-2002, 01:54 AM   #8
RijilV
Member
 
Registered: Sep 2002
Location: somewhere
Distribution: gentoo
Posts: 123

Rep: Reputation: 15
Re: I am a fail of failtastic proportions

Quote:
Originally posted by GNUbie

The only section I edited was 'Grsecurity', and all I did was enable stack overflow protection. Nothing else.

welp,. you didn't change ANYTHING else on the default kernel .config ?

if you have /home on a seperate partition, it might be of an unsupported filesystem. this explains your lack of a framebuffer...


I could be like, missing something or misunderstanding stuff..
 
Old 09-25-2002, 01:55 AM   #9
RijilV
Member
 
Registered: Sep 2002
Location: somewhere
Distribution: gentoo
Posts: 123

Rep: Reputation: 15
Re: I am a fail of failtastic proportions

Quote:
Originally posted by GNUbie

The only section I edited was 'Grsecurity', and all I did was enable stack overflow protection. Nothing else.

welp,. you didn't change ANYTHING else on the default kernel .config ?

if you have /home on a seperate partition, it might be of an unsupported filesystem for the default .config

if you didn't change anything, framebuffer is not part of the default .config


I could be like, missing something or misunderstanding stuff..
 
Old 09-25-2002, 08:57 AM   #10
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Original Poster
Rep: Reputation: 31
Re: Re: I am a fail of failtastic proportions

Quote:
Originally posted by RijilV

welp,. you didn't change ANYTHING else on the default kernel .config ?
Correct.


Quote:
if you have /home on a seperate partition, it might be of an unsupported filesystem. this explains your lack of a framebuffer...
/ is mounted on /dev/hda2 while /home was mounted on /dev/hda7. I didn't think to check before my previous post, but the only partition that exists now is /dev/hda2, everything else is gone. /home was ext3 by the way, and I'm assuming that the data regarding the framebuffer was stored somewhere in there.


Quote:
I could be like, missing something or misunderstanding stuff..
Nope, you seem to be correct in what you posted. I am the one who is misunderstanding and missing things
 
Old 09-25-2002, 09:04 AM   #11
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 10,389

Rep: Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626
GNUbie,
You will need to configure your new kernel to support what your old kernel did. Do you have an old .config you can use as a baseline? If not you will have to go through the options and make sure you add support for everything you use (such as ext3).

--jeremy
 
Old 09-25-2002, 11:30 AM   #12
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Original Poster
Rep: Reputation: 31
Red face <sigh>

Looks like some long nights ahead.
Any resources you recommend regarding learning more about working with the kernel in Linux? I am quite interested in this stuff.

Last edited by int0x80; 09-25-2002 at 11:31 AM.
 
Old 09-25-2002, 03:54 PM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,285
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
Naw, you could prolly get it right in under half an hour :-]
Try The Linux Kernel HOWTO for some help.
 
Old 09-30-2002, 03:31 PM   #14
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
As a side note as I've started messing around with kernel stuff I used the website www.kernelnewbies.org ... might be worth a look although I think the older site was quite more useful
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
GRsecurity dbi Slackware 6 08-28-2006 11:50 PM
grsecurity and 2.6.11.7 houler Slackware 2 05-07-2005 02:21 AM
need some info on grsecurity SciYro Linux - Security 0 12-03-2004 10:16 PM
GRSecurity Obie Linux - Security 6 05-31-2004 08:27 PM
GRsecurity and Mandrake subzero0 Mandriva 1 05-31-2004 08:06 PM


All times are GMT -5. The time now is 11:36 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration