Forum

Hi, I would like to make a comment about this line in the hiawatha howto: /proc/*/fd rw
If I'm correct with this line you give read write permissions to all file descriptors of all process, is this correct? Why not only to the "pidof hiawatha" process?
I don't believe that doing those would be a good idea, if you make the process running with all privileges you could read for example the input of one bash process or a getty in a tty, don't you?

My second comentary is about this line: /proc/kcore h: Why did you make /proc/kcore hidden and not for example /dev/mem, since /proc/kcore is a read-only version of /dev/mem and their permissions are 400 root:root I think it's less critical than /dev/mem. So, why did not add the h flag to /dev/mem /dev/kmem and /dev/ioports when needed?

Please take note that I don't use grsecurity and I could missed something, if this happened sorry.

PD: I'm an rsbac user, when I have the hiawatha policy up I will send you

The grsecurity and apparmor configurations are far from perfect. They started as an experiment.

Why I use /proc/*/fd is because I have no idea what PID Hiawatha will have when grsecurity starts.

No, de kernel takes care of those basic security things. In this case, grsecurity is more like an extra ring in the security union instead of the only one.

About /proc/kcore and /dev/mem: same reason as above, the config is far from perfect. It's just a start.

I know, for this reason I only make a suggestion and as I don't know why did you do somethings in the policy I ask you :-).

Please get realized that I have not said: your policy sucks, it's horrible, stupid and probably there is not a human behind it, instead I only ask the reason for something and adding a probably constructive suggestion.



And I suppose there is no way to pass variables to the /etc/grsec/policy file is it?, there must be a mechanism to do it, if not grsecurity sucks. If some grsecurity user read this, please get some light in this.

With a cat </proc/$pidofbash/fd/1 you can see what they are typing..., and this is very simple and unusable too, all must be said, why cannot be read the fd 0 of a process as I do before and redirected?, could be a keylogger.

for example, why could not be done with "dup"?

PD: the forum rejected one post mine because it was seen as spam?¿ :-S

I'm not a grsecurity or apparmor expert. If you know how to improve the policies, please let me know.


I've checked the log and seen that the reason your post was seen as spam is because there was an hour between the moment you loaded the forum page in your browser and the time you posted the message. So, your PHP session was expired. Most of the spammers directly post a message without requesting the page which holds the form, because the spamming is done by bots instead of humans. So, because of that I block posts which did not load the form first.