Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 24248

Summary: Startup script for grsecurity
Product: Gentoo Linux Reporter: mlmoser
Component: [OLD] Core systemAssignee: solar (RETIRED) <solar>
Severity: enhancement    
Priority: High    
Version: 1.4_rc4   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---
Attachments: patch for linux-2.4.20-gentoo-r5/arch/i386/defconfig to set up safe grsecurity
grsecurity startup script
grsecurity startup script configuration file

Description mlmoser 2003-07-10 14:45:53 UTC
/etc/init.d script for grsecurity -- reads grsconfity from /etc/conf.d and flips
sysctl's accordingly
/etc/conf.d script for grsecurity -- grseconfity, used to determine which
sysctl'able grescurity options are activated and such
defconfig.diff -- Patch for linux-2.4.20-gentoo-r5/arch/i386/defconfig to set up
safe grsecurity settings reliant on this script

The grsecurity script should be added to the boot runlevel, and should execute
as soon as the /proc filesystem is available.  It will only work properly if all
of the sysctl options in the grsecurity patch are on, and sysctl is compiled in
for grsec.  The settings I have in there for grsecurity do not include the
/dev/kmem /dev/mem and such options because they break X for me (TNT2 nVidia
card, using nvidia-kernel and nvidia-glx, which is pretty normal).

Notice that there are options in the grsconfity file that allow for several
things to happen:

1) Setting GRSECURITY_SYSCTL_DIR will change the base dir used for grsecurity
sysctl's.  This is good if you have hacked your grsecurity code to use a
different part of proc, which would increase security.
2) Setting GRSECURITY_CRITICAL to 1 (any non-1 is 0, sorry but I don't care for
jokers thinking they can say "10000" or "y" or "b0rk!" or "@*%G *%@BPU@" and
that I'll check for just != 0) will cause any failure in initializing grsecurity
to immediately telinit 1 (this is untested but the code looks okay).  This is
for things like servers that hold things you don't want people breaking into,
and that you would rather have downtime on instead of a security hole.
3) Setting GRSECURITY_HIDESYS to 1 will cause the "grsecurity did not load well,
make sure the sysctl directory is [...] or check grseconfity" error to NOT
display the sysctl path (in case you changed it and have no-read scripts and do
not want anyone to see where it is).  Put this on 1
4) Setting GRSECURITY_AUTO_GRSEC_LOCK to 1 will cause grsec_lock to be set at
the end of the script, preventing any more changes until reboot.  LEAVE THIS
5) Setting GRSECURITY_NO_LOCK_ON_ERROR to 1 will prevent grsec_lock from being
set if there are any errors starting grsecurity, even if
GRSECURITY_AUTO_GRSEC_LOCK is on.  Set this on non-mission critical systems.

All of the GRSEC_* variables are sysctl settings.  Set the ones that are 1/0 to
1 or 0, and set the GID's to the GID's of your choice.  I recommend also having
the groups:


Added to /etc/group during new installs (or updates) to work with grsecurity.
Comment 1 mlmoser 2003-07-10 14:48:47 UTC
Created attachment 14355 [details, diff]
patch for linux-2.4.20-gentoo-r5/arch/i386/defconfig to set up safe grsecurity

Patch linux-2.4.20-gentoo-r5/arch/i386/defconfig with this to turn on the
settings I used for grsecurity.  They were the maximum I could use without
hindering myself.  It's suitable for most users and won't get in the way.
Comment 2 mlmoser 2003-07-10 14:51:05 UTC
Created attachment 14356 [details]
grsecurity startup script

A grsecurity script that reads /etc/conf.d/grsconfity for settings and sets up
the sysctl's for grsecurity at boot.  `rc-update add grsecurity boot` and
please modify to run as soon as /proc is accessable!
Comment 3 mlmoser 2003-07-10 14:52:11 UTC
Created attachment 14357 [details]
grsecurity startup script configuration file

Configuration file for grsecurity startup script.  VERY well commented.  Don't
mess with it, it took me >5 hours to do this!

--Bluefox Icy
Comment 4 mlmoser 2003-07-10 14:53:05 UTC
These patches and scripts made by Bluefox Icy.  Sorry, forgot to leave my print ;-)

--Bluefox Icy
Comment 5 solar (RETIRED) gentoo-dev 2003-07-10 21:41:21 UTC
This script is not backwards compatible with the existing one, however if your interested in expanding on what currently exists vs a total rewrite then we can
consider it for inclusion.
Comment 6 solar (RETIRED) gentoo-dev 2003-07-10 21:44:07 UTC
Changing bug status
Comment 7 mlmoser 2003-07-11 12:01:59 UTC
I was not aware one existed.  What is this not backwards-compatible with?  Is there another script/conf.d combination?  The reason I wrote this was because I didn't see a current implimentation.  I was concerned with coming up with a viable setup that provided security without posing a hindrance to the user.  Though, with the default settings, it will prevent running of apps with wine in a world-writable fake C:; however, tpe can be turned off (or the C: can be made user writable, which is what an install of wine does if nothing else is around anyway; creates a fake_root in $HOME)

At any rate, what currently is used for grsecurity startup?
Comment 8 solar (RETIRED) gentoo-dev 2003-07-11 14:34:22 UTC
/etc/{init,conf.}d/grsecurity get created by installing the userland tool gradm.
you can peep the current revision by doing

user@gentoo $ cat /usr/portage/sys-apps/gradm/files/grsecurity
user@gentoo $ cat /usr/portage/sys-apps/gradm/files/grsecurity.rc
Comment 9 solar (RETIRED) gentoo-dev 2003-07-11 14:39:58 UTC
 Also the userland tool gradm2 exists in portage to add support for grsec2 support. For this we have no init or conf files for yet.

More info on grsec & gentoo can be found at