grsecurity forums


http://forums.grsecurity.net/

identd problem

http://forums.grsecurity.net/viewtopic.php?f=3&t=129

Page 1 of 1

identd problem

PostPosted: Sat Aug 31, 2002 9:41 am
by DMBreathn
when i use kernel with grsecurity ... my identd wont workout ... but it starts OK ...
but when i checked my port ... 113 isnt open ... when i use kernel without grsecurity ..
my identd workout fine ... would anyone can help me with my prob? how can i open
port 113 when i use grsecurity for my identd will be working .?

i :-?

PostPosted: Sun Sep 08, 2002 6:37 am
by decoder
mmh i cant really think of what that could be. did u maybe enable socket restrictions in grsecurity? try disabling socket restrictions if so (under Network Protections). If that doesnt work, tell me what options u have enabled.

cu
decoder

PostPosted: Sun Sep 08, 2002 9:13 pm
by spender
you didn't read the help for the proc restriction option. If you chose restrict to user only, you have to run the identd as root (not recommended). If you chose to allow a special group, you must run identd as that group so it can open up /proc/net/tcp.

-Brad

PostPosted: Mon May 05, 2003 6:48 am
by Tirppa
I'm quite the newbie and have exactly the same problem I now could use a bit more step by step how to fix this "problem". I use debian and compiled 2.4.20 kernel with grsec 1.9.9g with medium security setting. My identd is running like: nobody 22718 0.0 0.8 1312 528 ? S 13:29 0:00 [gidentd]

I really could use the help. As soon as possible :-?

PostPosted: Mon May 05, 2003 10:08 am
by spender
as root:

ls -al /proc/net/tcp

You should see something similar to:

-r--r--r-- 1 root proc 0 May 5 10:11 /proc/net/tcp

Take note of the group name there. In this case, it is "proc".

I'm not familiar with the identd you are using, but what you want to do is modify its configuration so that it runs as this group.

-Brad

PostPosted: Mon May 19, 2003 7:30 am
by nogownik
first of all, use oidentd
http://ojnk.sourceforge.net/
compile, install and next edit

/etc/grsec/acl and add this:

/usr/local/sbin/oidentd Xo {
/usr/lib
/dev/null rw
/
/dev/console w
/usr/share/zoneinfo r
/usr/local/sbin/oidentd x
/proc/net/tcp r
/proc/net/ip_conntrack r
/lib rx
/etc r
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
connect {
0.0.0.0/0:53 stream dgram ip tcp udp
}
bind {
0.0.0.0:0 dgram ip
0.0.0.0:113 stream ip tcp
}
}



and YOU MUST have access to /proc/net/tcp and /proc/net/ip_contrack (if you want ident for masquaraded connection). see above

have fun.
work perfect for me
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/