[grsec] proc restrictions + /proc/net/if_inet6
Wolfram Schlich
lists at wolfram.schlich.org
Thu May 10 07:51:16 EDT 2007
Hi,
with activated proc restrictions, IPv6 enabled services/daemons
(like apache, bind, postfix) are prevented from functioning
properly, as they rely on information they read from
/proc/net/if_inet6.
See this: http://forums.grsecurity.net/viewtopic.php?p=6575
Adding those daemon users to the grsec_proc/1001 group is
unreasonable, as those users would have far more permissions
than needed.
Currently, I can do a "chmod a+rx /proc/net", but I don't
like it having to put a line like the above into some sort
of init script.
I'd rather prefer grsecurity to take care about this, either
as a user definable option through .config (for example
CONFIG_GRKERNSEC_PROC_NET) or as a "new default" setting.
Comments, please :)
--
Regards,
Wolfram Schlich <wschlich at gentoo.org>
Gentoo Linux * http://dev.gentoo.org/~wschlich/
More information about the grsecurity
mailing list