2.4.23 with grsec and (not all) proc restrictions breaks

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

2.4.23 with grsec and (not all) proc restrictions breaks

Postby Razathorn » Tue Dec 16, 2003 2:45 pm

We have a debian woody box with a fresh 2.4.23-grsec install. When we built with the 'first' proc restriction option on and nothing else in that section checked, our /proc acted very odd... also netstat would break. When we recompiled with restrict user only on in addition, everything started working.

The odd behavior is as follows:

Netstat would claim that ip was not installed on the machine, but then at random, would work.

Cd in the proc fs would produce odd results if you cd .. -- you would end up with paths like /proc/sys/kernel/../../../# or similar.

echoing vals to proc variables IN a shell would work, in a shell script, would fail with permission denied. Sysctl could not write values either. Both sysctl and the shell scripts that I had setup (to change shmmax) would work fine only just after you cat the variable in question in the proc file system.

Once again, when we turned on the user restriction option it cleared things up -- so it looks like there is some breakage if you just enable the first option alone.

Wayne
Razathorn
 
Posts: 4
Joined: Mon Dec 08, 2003 6:57 pm

Return to grsecurity support