Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 14356 Details for
Bug 24248
Startup script for grsecurity
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
grsecurity startup script
grsecurity (text/plain), 5.84 KB, created by
mlmoser
on 2003-07-10 14:51:05 UTC
(
hide
)
Description:
grsecurity startup script
Filename:
MIME Type:
Creator:
mlmoser
Created:
2003-07-10 14:51:05 UTC
Size:
5.84 KB
patch
obsolete
>#!/sbin/runscript ># grsecurity configuration script ># part of the grsecurity init.d script writen for Gentoo by Bluefox Icy ># DO NOT SIMPLIFY THIS FILE! IT TOOK ME OVER FOUR HOURS TO WRITE THIS AND I ># WILL BE PISSED OFF AT YOU AND MIGHT FIND YOU AND KICK YOUR ASS!!! BZIP2 IT ># FOR DISTRIBUTION GOD!!!!! > ># Distributed under gpl v2.0. All clauses apply, especially that of ># NO WARRENTY > ># This file reads options GRSEC_{SYSCTL} which are in the grsecurity conf.d ># file and uses them to set the sysctl's. ># ># These each have a description attatched to them in the conf.d file. > ># I would prefer a function setSecurity(sysrq, value) > >setsecurity() { > i=0 > ebegin "Setting $1 to $2" > echo "$2" > ${GRSECURITY_SYSCTL_DIR}/$1 || i=1 > if [ "$i" -eq "1" ] > then > eerror "failed to set $1" > GRSECURITY_ERROR=1 > fi > eend $i >} > >stop() { > ebegin "Faking a grsecurity stop" > #eerror "CANNOT STOP GRSECURITY!" > eend 0 > return 00 >} > >start() { > ebegin "Bringing up grsecurity" > if [ "${GRSECURITY_CRITICAL}" -eq 1 ] > then > echo "Warning: grsecurity is set as mission critical. You have five seconds to abort. If grsecurity does not load properly, the system will immediately drop into runlevel 1 for root-only console matinence due to a severe security compromise." > fi > i=0 ># countdown depricated. ># foreach i in {5 4 3 2 1} { ># echo -n "$i " ># sleep 1 ># } ># echo -e "\n" > > GRSECURITY_ERROR="0" > > ebegin "Loading config..." > . /etc/conf.d/grsconfity || GRSECURITY_ERROR=1 > if [ "${GRSECURITY_ERROR}" -eq "1" ] > then > eerror "Can not load config!!!" > eend 1 > eerror "Loading grsecurity failed!!!" > eend 1 > return 1 > fi > eend 0 > ># This seems to not be read/write, not what it seems ># setsecurity "acl" "${GRSEC_ACL}" > > setsecurity "linking_restrictions" "${GRSEC_LINKING_RESTRICTIONS}" > setsecurity "fifo_restrictions" "${GRSEC_FIFO_RESTRICTIONS}" > > setsecurity "chroot_deny_mount" "${GRSEC_CHROOT_DENY_MOUNT}" > setsecurity "chroot_deny_chroot" "${GRSEC_CHROOT_DENY_CHROOT}" > setsecurity "chroot_deny_pivot" "${GRSEC_CHROOT_DENY_PIVOT}" > setsecurity "chroot_enforce_chdir" "${GRSEC_CHROOT_ENFORCE_CHDIR}" > setsecurity "chroot_deny_chmod" "${GRSEC_CHROOT_DENY_CHMOD}" > setsecurity "chroot_deny_fchdir" "${GRSEC_CHROOT_DENY_FCHDIR}" > setsecurity "chroot_deny_mknod" "${GRSEC_CHROOT_DENY_MKNOD}" > setsecurity "chroot_deny_shmat" "${GRSEC_CHROOT_DENY_SHMAT}" > setsecurity "chroot_deny_unix" "${GRSEC_CHROOT_DENY_UNIX}" > setsecurity "chroot_findtask" "${GRSEC_CHROOT_FINDTASK}" > setsecurity "chroot_restrict_nice" "${GRSEC_CHROOT_RESTRICT_NICE}" > setsecurity "chroot_deny_sysctl" "${CHROOT_DENY_SYSCTL}" > setsecurity "chroot_caps" "${GRSEC_CHROOT_CAPS}" > > setsecurity "audit_group" "${GRSEC_AUDIT_GROUP}" > setsecurity "audit_gid" "${GRSEC_AUDIT_GID}" > setsecurity "exec_logging" "${GRSEC_EXEC_LOGGING}" > setsecurity "chroot_execlog" "${GRSEC_CHROOT_EXECLOG}" > setsecurity "audit_chdir" "${GRSEC_AUDIT_CHDIR}" > setsecurity "audit_mount" "${GRSEC_AUDIT_MOUNT}" > setsecurity "audit_ipc" "${GRSEC_AUDIT_IPC}" > setsecurity "signal_logging" "${GRSEC_SIGNAL_LOGGING}" > setsecurity "forkfail_logging" "${GRSEC_FORKFAIL_LOGGING}" > setsecurity "timechange_logging" "${GRSEC_TIMECHANGE_LOGGING}" > > setsecurity "execve_limiting" "${GRSEC_EXECVE_LIMITING}" > setsecurity "dmesg" "${GRSEC_DMESG}" > setsecurity "rand_pids" "${GRSEC_RAND_PIDS}" > setsecurity "tpe" "${GRSEC_TPE}" > setsecurity "tpe_gid" "${GRSEC_TPE_GID}" > setsecurity "tpe_restrict_all" "${GRSEC_TPE_RESTRICT_ALL}" > > setsecurity "rand_isns" "${GRSEC_RAND_ISNS}" > setsecurity "rand_ip_ids" "${GRSEC_RAND_IP_IDS}" > setsecurity "rand_tcp_src_ports" "${GRSEC_RAND_TCP_SRC_PORTS}" > setsecurity "rand_rpc" "${GRSEC_RAND_RPC}" > setsecurity "altered_pings" "${GRSEC_ALTERED_PINGS}" > > setsecurity "socket_all" "${GRSEC_SOCKET_ALL}" > setsecurity "socket_all_gid" "${GRSEC_SOCKET_ALL_GID}" > setsecurity "socket_client" "${GRSEC_SOCKET_CLIENT}" > setsecurity "socket_client_gid" "${GRSEC_SOCKET_CLIENT_GID}" > setsecurity "socket_server" "${GRSEC_SOCKET_SERVER}" > setsecurity "socket_server_gid" "${GRSEC_SOCKET_SERVER_GID}" > ># Now, if there's an error, scream at us and if we are a mission critical box ># then send us into matinence mode, superuser only. > > if [ "${GRSECURITY_HIDESYS}" -eq "1" ] > then > GRSYSDIR2="[GRSECURITY_HIDESYS set to 1, GRSECURITY_SYSCTL_DIR not being shown]" > else > GRSYSDIR2="${GRSECURITY_SYSCTL_DIR}" > fi > if [ "${GRSECURITY_ERROR}" -eq "1" ] > then > eerror "Warning: Some of grsecurity could not be set. Please check your kernel configuration. Make sure sysctl is compiled in and that ALL options with sysctl are compiled in. Check /etc/conf.d/grsecurity for a list of supported options with sysctl objects in /proc. Also, make sure the version of grsecurity you are using uses sysctl directory '${GRSYSDIR2}'. If it does NOT use that directory, please edit /etc/conf.d/grsconfity and alter the GRSECURITY_SYSCTL_DIR variable to match the sysctl directory that grsecurity uses." > if [ "${GRSECURITY_CRITICAL}" -eq "1" ] > then > telinit 1 > fi > if [ "${GRSECURITY_NO_LOCK_ON_ERROR}" -eq "1" ] > then > eend "${GRSECURITY_ERROR}" > return "${GRSECURITY_ERROR}" > fi > fi > ># Good. Now, LOCK all the grsecurity settings. If this fails, give a severe ># warning about security being compromised. If mission crit, then telinit 1. > > i=0 > if [ "${GRSECURITY_AUTO_GRSEC_LOCK}" = "1" ] > then > ebegin "Locking grsecurity" > echo "1" > ${GRSECURITY_SYSCTL_DIR}/grsec_lock || i=1 > if [ "$i" -eq "1" ] > then > eerror "WARNING!!! SEVERE ERROR: CANNOT LOCK GRSECURITY! SYSTEM IS NOT SECURE!!!" > GRSECURITY_ERROR=100 > if [ "${GRSECURITY_CRITICAL}" -eq "1" ] > then > telinit 1 > fi > fi > eend $i > # Critical; security not started! > eend "${GRSECURITY_ERROR}" > return "${GRSECURITY_ERROR}" > fi > ># If we got this far, it means we've allowed lock/finish on trivial error and ># did not have a lock error > eend 0 > > return ${GRSECURITY_ERROR} >} ># end of file
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14356">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 24248
:
14355
| 14356 |
14357
