php file() and access to /proc/dev/net

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

php file() and access to /proc/dev/net

Postby milou » Mon Nov 24, 2003 7:03 am

Hello. I have a debian grsec enabled, 2.4.21 kernel patched with grsec-1.9.11. I chose the "medium" range of grsec from the menuconfig.

Now I have a php app on my website which reads /proc/dev/net for giving some info on a webpage.
Since I enabled grsec in the kernel I have the following error :

Warning: file("/proc/net/dev") - Permission denied in /home/server/html/syscon/modules/mod_iflist.php on line 23

I added "/proc/net rwx" and "/proc/net/dev r" in the /etc/grsec/acl and ran gradm -E, but I still get the error... What did I forget ?

Thank you
Eric
milou
 
Posts: 2
Joined: Mon Nov 24, 2003 6:58 am

Postby goodbyte » Tue Nov 25, 2003 3:41 am

You should have a look at CONFIG_GRSEC_PROC, CONFIG_GRSEC_PROC_USER and CONFIG_GRSEC_PROC_USERGROUP in the kernel config (located under grsecurity - filesystem protections, you must change to custom security level). The reason is that grsecurity has additional restrictions of /proc that not are covered by the acl system.
goodbyte
 
Posts: 32
Joined: Sun May 12, 2002 4:33 am

php file() and access to /proc/dev/net

Postby milou » Tue Nov 25, 2003 9:18 am

goodbyte wrote:You should have a look at CONFIG_GRSEC_PROC, CONFIG_GRSEC_PROC_USER and CONFIG_GRSEC_PROC_USERGROUP in the kernel config (located under grsecurity - filesystem protections, you must change to custom security level). The reason is that grsecurity has additional restrictions of /proc that not are covered by the acl system.


Thank you, I'm going to check and recompile my kernel. Now I have the same kind of problem with /dev/port, I guess this ithe same kind of problem (deny access to /dev/port option) ...
milou
 
Posts: 2
Joined: Mon Nov 24, 2003 6:58 am


Return to grsecurity support