1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA256 |
3 |
|
4 |
|
5 |
You should recompile your kernel and choose a different gid for tpe |
6 |
(anything above 1024 would be a good choice). Alternatively, you could |
7 |
turn the feature off. ;) |
8 |
|
9 |
|
10 |
brant williams |
11 |
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 |
12 |
|
13 |
|
14 |
|
15 |
On Thu, 3 Jan 2008, Wang, Baojun wrote: |
16 |
|
17 |
> Date: Thu, 3 Jan 2008 00:11:10 +0800 |
18 |
> From: "Wang, Baojun" <wangbj@×××××××.cn> |
19 |
> Reply-To: gentoo-hardened@l.g.o |
20 |
> To: gentoo-hardened@l.g.o |
21 |
> Cc: pageexec@××××××××.hu |
22 |
> Subject: Re: [gentoo-hardened] Fwd: hardened gentoo mailman/postfix/apache |
23 |
> notes? |
24 |
> |
25 |
> On Wednesday 02 January 2008 21:41:13, pageexec@××××××××.hu wrote: |
26 |
>> On 2 Jan 2008 at 22:09, Wang, Baojun wrote: |
27 |
>>> Jan 2 12:20:07 mail [687055.942454] grsec: From 202.201.14.141: denied |
28 |
>>> untrusted exec of /usr/local/mailman/mail/mailman by /usr/lib/postfix/ |
29 |
>>> local[local:17733] uid/euid:280/280 gid/egid:280/280, |
30 |
>>> parent /usr/lib/postfix/local[local:17732] uid/euid:0/207 gid/egid:0/207 |
31 |
>> |
32 |
>> 'untrusted exec' is a sign of your using TPE, i suggest you check |
33 |
>> the kernel help on it and make sure the access rights on the path |
34 |
>> leading up to the executables are proper (in particular, only root |
35 |
>> should be able to write to the executables). |
36 |
> |
37 |
> OK, I've check TPE, since I'm using Grsecurity level hardened gentoo, TPE is |
38 |
> enabled by default, and I've configured the gid to trusted users to 10 |
39 |
> (wheel), but mailman is 280, I'd like to leave it as it is, but I have to add |
40 |
> 280 to tpe_gid, I've tried |
41 |
> |
42 |
> echo "10 280" > /proc/sys/kernel/grsecurity |
43 |
> |
44 |
> but after that only 280 is in the (proc) file, is there any way to add more |
45 |
> than 1 group to tpe_gid? Also, even I echo 280 |
46 |
> to /proc/sys/kernel/grsecurity, it still doesn't solve the problem, now the |
47 |
> problem is solved by echo 0 > /proc/sys/kernel/grsecurity/tpe, but I wonder |
48 |
> there is a better solution instead. |
49 |
> |
50 |
> |
51 |
>>> or should I chown -R root:root /usr/local/mainman and chown a-S |
52 |
>>> /usr/local/manman? |
53 |
>> |
54 |
>> something like that will be needed, yes, but i don't know what exact |
55 |
>> permissions mailman needs to properly function, so be careful. |
56 |
> |
57 |
> I have also tried this, but mailman said it expect the program is invoked by |
58 |
> group mailman ;-(, otherwise I need to configure mailman manually, I don't |
59 |
> like to to that. |
60 |
> |
61 |
> -- |
62 |
> Wang, Baojun Lanzhou University |
63 |
> Distributed & Embedded System Lab http://dslab.lzu.edu.cn |
64 |
> School of Information Science and Engeneering wangbj_AT_lzu.edu.cn |
65 |
> Tianshui South Road 222. Lanzhou 730000 .P.R.China |
66 |
> Tel:+86-931-8912025 Fax:+86-931-8912022 |
67 |
> |
68 |
-----BEGIN PGP SIGNATURE----- |
69 |
Version: GnuPG v2.0.7 (GNU/Linux) |
70 |
|
71 |
iD8DBQFHe7mTdCBnhE3rYAIRCBiLAJ0ZNESXK1VpolZFsUB2hXUMBsVXtgCcDJLy |
72 |
Syi39/Qu0Cl0gYAcmI4v1II= |
73 |
=pHDt |
74 |
-----END PGP SIGNATURE----- |