| 1 |
On Thursday 03 January 2008 00:19:27, brant williams wrote: |
| 2 |
> You should recompile your kernel and choose a different gid for tpe |
| 3 |
> (anything above 1024 would be a good choice). Alternatively, you could |
| 4 |
> turn the feature off. ;) |
| 5 |
|
| 6 |
make sense, but using sysctl is ok since I've enable the sysctl features under |
| 7 |
grsecurity, should be something like: |
| 8 |
|
| 9 |
sysctl -w kernel.grsecurity.tpe=0 |
| 10 |
|
| 11 |
Thanks for help ;) |
| 12 |
|
| 13 |
Wang |
| 14 |
> brant williams |
| 15 |
> FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 |
| 16 |
> |
| 17 |
> On Thu, 3 Jan 2008, Wang, Baojun wrote: |
| 18 |
> > Date: Thu, 3 Jan 2008 00:11:10 +0800 |
| 19 |
> > From: "Wang, Baojun" <wangbj@×××××××.cn> |
| 20 |
> > Reply-To: gentoo-hardened@l.g.o |
| 21 |
> > To: gentoo-hardened@l.g.o |
| 22 |
> > Cc: pageexec@××××××××.hu |
| 23 |
> > Subject: Re: [gentoo-hardened] Fwd: hardened gentoo |
| 24 |
> > mailman/postfix/apache notes? |
| 25 |
> > |
| 26 |
> > On Wednesday 02 January 2008 21:41:13, pageexec@××××××××.hu wroteï¼ |
| 27 |
> > |
| 28 |
> >> On 2 Jan 2008 at 22:09, Wang, Baojun wrote: |
| 29 |
> >>> Jan 2 12:20:07 mail [687055.942454] grsec: From 202.201.14.141: denied |
| 30 |
> >>> untrusted exec of /usr/local/mailman/mail/mailman by /usr/lib/postfix/ |
| 31 |
> >>> local[local:17733] uid/euid:280/280 gid/egid:280/280, |
| 32 |
> >>> parent /usr/lib/postfix/local[local:17732] uid/euid:0/207 |
| 33 |
> >>> gid/egid:0/207 |
| 34 |
> >> |
| 35 |
> >> 'untrusted exec' is a sign of your using TPE, i suggest you check |
| 36 |
> >> the kernel help on it and make sure the access rights on the path |
| 37 |
> >> leading up to the executables are proper (in particular, only root |
| 38 |
> >> should be able to write to the executables). |
| 39 |
> > |
| 40 |
> > OK, I've check TPE, since I'm using Grsecurity level hardened gentoo, TPE |
| 41 |
> > is enabled by default, and I've configured the gid to trusted users to 10 |
| 42 |
> > (wheel), but mailman is 280, I'd like to leave it as it is, but I have to |
| 43 |
> > add 280 to tpe_gid, I've tried |
| 44 |
> > |
| 45 |
> > echo "10 280" > /proc/sys/kernel/grsecurity |
| 46 |
> > |
| 47 |
> > but after that only 280 is in the (proc) file, is there any way to add |
| 48 |
> > more than 1 group to tpe_gid? Also, even I echo 280 |
| 49 |
> > to /proc/sys/kernel/grsecurity, it still doesn't solve the problem, now |
| 50 |
> > the problem is solved by echo 0 > /proc/sys/kernel/grsecurity/tpe, but I |
| 51 |
> > wonder there is a better solution instead. |
| 52 |
> > |
| 53 |
> >>> or should I chown -R root:root /usr/local/mainman and chown a-S |
| 54 |
> >>> /usr/local/manman? |
| 55 |
> >> |
| 56 |
> >> something like that will be needed, yes, but i don't know what exact |
| 57 |
> >> permissions mailman needs to properly function, so be careful. |
| 58 |
> > |
| 59 |
> > I have also tried this, but mailman said it expect the program is invoked |
| 60 |
> > by group mailman ;-(, otherwise I need to configure mailman manually, I |
| 61 |
> > don't like to to that. |
| 62 |
> > |
| 63 |
> > -- |
| 64 |
> > Wang, Baojun                    |
| 65 |
> >  Lanzhou University Distributed & Embedded System Lab       |
| 66 |
> > Â http://dslab.lzu.edu.cn School of Information Science and Engeneering |
| 67 |
> > Â Â wangbj_AT_lzu.edu.cn Tianshui South Road 222. Lanzhou 730000 Â Â |
| 68 |
> > Â Â Â Â Â Â Â Â .P.R.China Tel:+86-931-8912025 Â Â Â Â Â Â |
| 69 |
> > Â Â Â Â Â Â Â Â Â Â Fax:+86-931-8912022 |
| 70 |
|
| 71 |
|
| 72 |
|
| 73 |
-- |
| 74 |
Wang, Baojun Lanzhou University |
| 75 |
Distributed & Embedded System Lab http://dslab.lzu.edu.cn |
| 76 |
School of Information Science and Engeneering wangbj_AT_lzu.edu.cn |
| 77 |
Tianshui South Road 222. Lanzhou 730000 .P.R.China |
| 78 |
Tel:+86-931-8912025 Fax:+86-931-8912022 |
Archives