identd problem

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

identd problem

Postby DMBreathn » Sat Aug 31, 2002 9:41 am

when i use kernel with grsecurity ... my identd wont workout ... but it starts OK ...
but when i checked my port ... 113 isnt open ... when i use kernel without grsecurity ..
my identd workout fine ... would anyone can help me with my prob? how can i open
port 113 when i use grsecurity for my identd will be working .?

i :-?
DMBreathn
 
Posts: 1
Joined: Sat Aug 31, 2002 9:37 am

Postby decoder » Sun Sep 08, 2002 6:37 am

mmh i cant really think of what that could be. did u maybe enable socket restrictions in grsecurity? try disabling socket restrictions if so (under Network Protections). If that doesnt work, tell me what options u have enabled.

cu
decoder
decoder
 
Posts: 8
Joined: Sat Sep 07, 2002 10:08 pm

Postby spender » Sun Sep 08, 2002 9:13 pm

you didn't read the help for the proc restriction option. If you chose restrict to user only, you have to run the identd as root (not recommended). If you chose to allow a special group, you must run identd as that group so it can open up /proc/net/tcp.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Tirppa » Mon May 05, 2003 6:48 am

I'm quite the newbie and have exactly the same problem I now could use a bit more step by step how to fix this "problem". I use debian and compiled 2.4.20 kernel with grsec 1.9.9g with medium security setting. My identd is running like: nobody 22718 0.0 0.8 1312 528 ? S 13:29 0:00 [gidentd]

I really could use the help. As soon as possible :-?
Tirppa
 
Posts: 1
Joined: Mon May 05, 2003 6:45 am

Postby spender » Mon May 05, 2003 10:08 am

as root:

ls -al /proc/net/tcp

You should see something similar to:

-r--r--r-- 1 root proc 0 May 5 10:11 /proc/net/tcp

Take note of the group name there. In this case, it is "proc".

I'm not familiar with the identd you are using, but what you want to do is modify its configuration so that it runs as this group.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby nogownik » Mon May 19, 2003 7:30 am

first of all, use oidentd
http://ojnk.sourceforge.net/
compile, install and next edit

/etc/grsec/acl and add this:

/usr/local/sbin/oidentd Xo {
/usr/lib
/dev/null rw
/
/dev/console w
/usr/share/zoneinfo r
/usr/local/sbin/oidentd x
/proc/net/tcp r
/proc/net/ip_conntrack r
/lib rx
/etc r
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
connect {
0.0.0.0/0:53 stream dgram ip tcp udp
}
bind {
0.0.0.0:0 dgram ip
0.0.0.0:113 stream ip tcp
}
}



and YOU MUST have access to /proc/net/tcp and /proc/net/ip_contrack (if you want ident for masquaraded connection). see above

have fun.
work perfect for me
nogownik
 
Posts: 3
Joined: Mon Mar 03, 2003 6:57 am


Return to grsecurity support