Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: "Wang
To: gentoo-hardened@l.g.o
Cc: pageexec@××××××××.hu
Subject: Re: [gentoo-hardened] Fwd: hardened gentoo mailman/postfix/apache notes?
Date: Wed, 02 Jan 2008 16:19:15
Message-Id: 200801030011.15278.wangbj@lzu.edu.cn
1 On Wednesday 02 January 2008 21:41:13, pageexec@××××××××.hu wrote:
2 > On 2 Jan 2008 at 22:09, Wang, Baojun wrote:
3 > > Jan 2 12:20:07 mail [687055.942454] grsec: From 202.201.14.141: denied
4 > > untrusted exec of /usr/local/mailman/mail/mailman by /usr/lib/postfix/
5 > > local[local:17733] uid/euid:280/280 gid/egid:280/280,
6 > > parent /usr/lib/postfix/local[local:17732] uid/euid:0/207 gid/egid:0/207
7 >
8 > 'untrusted exec' is a sign of your using TPE, i suggest you check
9 > the kernel help on it and make sure the access rights on the path
10 > leading up to the executables are proper (in particular, only root
11 > should be able to write to the executables).
12
13 OK, I've check TPE, since I'm using Grsecurity level hardened gentoo, TPE is
14 enabled by default, and I've configured the gid to trusted users to 10
15 (wheel), but mailman is 280, I'd like to leave it as it is, but I have to add
16 280 to tpe_gid, I've tried
17
18 echo "10 280" > /proc/sys/kernel/grsecurity
19
20 but after that only 280 is in the (proc) file, is there any way to add more
21 than 1 group to tpe_gid? Also, even I echo 280
22 to /proc/sys/kernel/grsecurity, it still doesn't solve the problem, now the
23 problem is solved by echo 0 > /proc/sys/kernel/grsecurity/tpe, but I wonder
24 there is a better solution instead.
25
26
27 > > or should I chown -R root:root /usr/local/mainman and chown a-S
28 > > /usr/local/manman?
29 >
30 > something like that will be needed, yes, but i don't know what exact
31 > permissions mailman needs to properly function, so be careful.
32
33 I have also tried this, but mailman said it expect the program is invoked by
34 group mailman ;-(, otherwise I need to configure mailman manually, I don't
35 like to to that.
36
37 --
38 Wang, Baojun                                        Lanzhou University
39 Distributed & Embedded System Lab              http://dslab.lzu.edu.cn
40 School of Information Science and Engeneering     wangbj_AT_lzu.edu.cn
41 Tianshui South Road 222. Lanzhou 730000                     .P.R.China
42 Tel:+86-931-8912025                                Fax:+86-931-8912022

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-hardened] Fwd: hardened gentoo mailman/postfix/apache notes? brant williams <brant@×××××.net>
Report Message
Find on MARC Find on Google Groups