Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 9139

Summary: Problem with grsecurity
Product: Gentoo Linux Reporter: Francois Meehan <francois>
Component: [OLD] Core systemAssignee: Brandon Low (RETIRED) <lostlogic>
Status: RESOLVED FIXED    
Severity: major CC: vapier
Priority: High    
Version: 1.0   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Francois Meehan 2002-10-14 18:38:29 UTC
I have compiled a kernel with most of grsecurity functions enabled, emerge 
gradm, manually created the /etc/grsec directory, found a default acl somewhere 
on the web, assigned a password, but ACL support won't work... 

When trying the "gradm -E" or "gradm -a" I get: 

Error writing to /proc/sys/kernel/grsecurity/acl 
write: Invalid argument 

also if trying to go in learn mode with this command "gradm -L -O fmtest" I 
get: 

Unable to open /etc/syslog.conf for reading. 
Error: No such file or directory

I have emerged the latest gentoo-sources (kernel) package.

I did report the problem to grsecurity maintainers. Was told that the release 
use to patch the "gentoo-sources kernel" is an old one, that might be the cause 
of my problems. I noticed that the grsec patch used in gentoo-sources is 2 
month old (that is not very old by my standards, but then again...), and that 
there is a new release dated oct. 12. 

Can grsecurity be installed on a gentoo system with ACL support? That is the 
question. If so, can someone send me the recipe :-)

At any rate, as Gentoo is meant to be a secure distro, it would be very nice to 
have a fully working grsecurity package with it.

Gentoo rocks!

Thanks in advance,

Francois
Comment 1 SpanKY gentoo-dev 2002-10-14 20:39:26 UTC
grsecurity is actively maintained ... 
that means anything that is not grabbed from CVS is old ;) 
 
lostlogic: i thought we talked and you were gonna use 1.9.7 in -r9 of gentoo 
sources ? 
Comment 2 Brandon Low (RETIRED) gentoo-dev 2002-10-14 20:46:18 UTC
-r9 had 1.9.6, it was released LONG before grsecurity 1.9.7
-r10 whch has still 1 thing needing fixing before unmasking has 1.9.7, please 
test it.  (the ont thing to be fixed is some weird issue with FORKing on mjc's 
system, that he hasn't gotten back to me)
Comment 3 SpanKY gentoo-dev 2002-10-14 20:59:00 UTC
weird i could have sworn -r9 was gonna have it ... 
mjc is a wanker, dont tell him i said that ;x 
Comment 4 Brandon Low (RETIRED) gentoo-dev 2002-10-17 14:07:44 UTC
check out latest lolo-sources, now with grsecurity-1.9.7c (although the merge is
missing one part which makes grsecurity PaX slightly less secure than it should be)
Comment 5 Francois Meehan 2002-10-18 15:36:20 UTC
Hi, did install latest lolo-sources, when running makemenuconfig, under 
grsecurity, there no option "Access Control Lists  --->", instead there is 
an "ACL options  --->" but that is of no use if we don't have ACL's therefore 
we are back to square one. I did recompile the kernel anyway, and this is what 
I got: 

/proc/sys/kernel/grsecurity/acl does not exist.  Please recompile your kernel 
with grsecurity's ACL system.

Regards,

Francois
Comment 6 Brandon Low (RETIRED) gentoo-dev 2002-10-21 18:43:04 UTC
ACL = Access Control Lists.
Comment 7 Francois Meehan 2002-10-21 19:11:01 UTC
Brandon, 

here is the menuconfig screen with your 2.4.20-lolo-r1_pre1

[*] Grsecurity                                                           
Comment 8 Francois Meehan 2002-10-21 19:11:01 UTC
Brandon, 

here is the menuconfig screen with your 2.4.20-lolo-r1_pre1

[*] Grsecurity                                                              
                      (Customized) Security level                            
                      Buffer Overflow Protection  --->                       
                      ACL options  --->                                      
                      Filesystem Protections  --->                           
                      Kernel Auditing  --->                                  
                      Executable Protections  --->                           
                      Network Protections  --->                              
                      Sysctl support  --->                                   
                      Miscellaneous Features  --->   


Now same screen with  v2.4.19-gentoo-r7 
    [*] Grsecurity                                                          
                      (Customized) Security level                            
                      Buffer Overflow Protection  --->                       
                      Access Control Lists  --->                             
                      Filesystem Protections  --->                           
                      Kernel Auditing  --->                                  
                      Executable Protections  --->                           
                      Network Protections  --->                              
                      Sysctl support  --->                                   
                      Miscellaneous Features  --->  


Unless I am missing something very obvious (ACL = Access Control Lists!!!), I 
can't get ACL to work with your mod.  Furthermore, with v2.4.19-gentoo-r7, 
after selecting Access Control Lists  ---> this is what we should see: 

[*] Grsecurity ACL system (NEW)                                               
        [ ] ACL Debugging Messages (NEW)                                     
        [ ] Denied capability logging (NEW)                                  
             Path to gradm: "/sbin/gradm" (NEW)                               
        (3) Maximum tries before password lockout (NEW)                      
        (30) Time to wait after max password tries, in seconds (NEW)         

Regards,

Francois                                                              

Comment 9 Brandon Low (RETIRED) gentoo-dev 2002-10-21 19:43:37 UTC
hmm... all I've done is upgrade tot he latest grsecurity, I'll check the patch...
Comment 10 Brandon Low (RETIRED) gentoo-dev 2002-10-21 19:55:26 UTC
Thats just the way it is in the grsecurity patch lately... ask
brad@grsecurity.net about it, this is NOT a bug in our kernels.
Comment 11 Brandon Low (RETIRED) gentoo-dev 2002-10-22 13:46:35 UTC
this is me checking this in the official unmodified patch, just to verify.
Comment 12 Brandon Low (RETIRED) gentoo-dev 2002-10-22 13:49:15 UTC
this is me verifying that the official patch looks JUST LIKE MINE (not to sound
annoyed, but you went over my head, and frankly that bothers me, because I had
told you the proper resolution to this bug)
http://www.lostlogicx.com/images/grsec-ss.jpg shows a screenshot of the OFFICIAL
linux-2.4.19-grsec configuration screen.
Comment 13 Francois Meehan 2002-10-22 14:34:07 UTC
Hi Brandon, 

I am very sorry if you feel annoyed because of the e-mail that I sent to 
Daniel, but before I have submitted that problem, I did contact the Grsec 
people, which said the problem is with Gentoo, and you saying the problem is 
with them... So it's a dead end. 

Can't win them all, so I'll forget ACL's for a while.

Thanks again for your help
Comment 14 Brandon Low (RETIRED) gentoo-dev 2002-10-22 14:40:26 UTC
blah... I dun get it... if brad changed that option setup, there has to be a
reason for it... I'll e-mail him...
Comment 15 Brandon Low (RETIRED) gentoo-dev 2002-10-22 17:05:57 UTC
I e-mailed brad, he said "yeah it is on by default now, make sure user has the
latest gradm tools"