1 |
Hi Alex, |
2 |
|
3 |
>sorry to interrupt your thoughts, but gcc trampolines are not used for |
4 |
>such things :-( |
5 |
|
6 |
I'll take your word for it :-) |
7 |
|
8 |
>> Is there any way of running an executable with modified |
9 |
>> grsecurity options |
10 |
>> without changing the on-disk file with chpax? |
11 |
>yes, there is |
12 |
>with an enabled grsec system, you have to put grsecurity acl PaX flags |
13 |
>for the kaspersky binary: |
14 |
|
15 |
Thanks for the pointer; turns out it's good and bad news: |
16 |
|
17 |
The good news: Yep, in a system with active grsec acls that works as |
18 |
expected. |
19 |
|
20 |
The bad news: setting up the system so it works with active grsec acl is NOT |
21 |
a trivial task :-) Still trying to get basic system functionality working |
22 |
without error messages, not succeeded yet. |
23 |
|
24 |
Currently I'm trying to understand these log entries: |
25 |
|
26 |
Sep 17 22:13:13 firewall kernel: |
27 |
grsec: From 10.192.14.130: denied access to hidden file /dev/urandom |
28 |
by |
29 |
(gradm:27705) UID(0) EUID(0), parent (bash:17833) UID(0) EUID(0) |
30 |
|
31 |
Sep 17 22:00:22 firewall kernel: |
32 |
grsec: From 10.192.14.130: denied open of /dev/urandom for reading by |
33 |
|
34 |
(sshd:29575) UID(0) EUID(0), parent (sshd:25465) UID(0S |
35 |
|
36 |
Which I get when using the default acls from grsecurity-base-policy-20030614; |
37 |
these specify (excerpt) |
38 |
|
39 |
/ { |
40 |
/ |
41 |
/dev |
42 |
/dev/random r |
43 |
/dev/urandom r |
44 |
} |
45 |
|
46 |
Which I'd have expected to enable read access for /dev/urandom for all |
47 |
processess. So where do these come from? |
48 |
|
49 |
Oh, well I guess this is going to take some more time :-) |
50 |
|
51 |
Bye, Martin |
52 |
|
53 |
-- |
54 |
gentoo-hardened@g.o mailing list |