[grsec] info still visible in /proc

brant williams brant at tnarb.net
Thu Jan 24 14:38:58 EST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


The grsec restrictions for /proc will generally only allow non-priviledged 
users to view their own process information (e.g. when using "/bin/ps" or 
"/usr/bin/top".  If you want to restrict access further, you can use the 
RBAC system to close things off at the directory level (but really, what 
information are you trying to protect?).


brant williams
FCAA CDCA 20BC 3925 D634  F5C4 7420 6784 4DEB 6002



On Thu, 24 Jan 2008, Ariel Garcia wrote:

> Date: Thu, 24 Jan 2008 09:10:43 +0100
> From: Ariel Garcia <garcia at iwr.fzk.de>
> To: grsecurity at grsecurity.net
> Subject: Re: [grsec] info still visible in /proc
> 
> Hi,
>
>> I configured grsec to limit /proc access to group 0 only:
>>
>> CONFIG_GRKERNSEC_PROC=y
>> # CONFIG_GRKERNSEC_PROC_USER is not set
>> CONFIG_GRKERNSEC_PROC_USERGROUP=y
>> CONFIG_GRKERNSEC_PROC_GID=0
>> CONFIG_GRKERNSEC_PROC_ADD=y
>>
>> However some things that [I think] should be hidden are not:
>
>
> did you check if gresec is being enforced?
>
> CONFIG_GRKERNSEC_SYSCTL  (provides de/activation of grsec over /sys)
> CONFIG_GRKERNSEC_SYSCTL_ON  (Turn on features by default )
>
> Hope it helps
> Cheers, Ariel
> _______________________________________________
> grsecurity mailing list
> grsecurity at grsecurity.net
> http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFHmOlXdCBnhE3rYAIRCCU1AJ969nJp46MZ0UgkTpDJfj+DgLrEHwCgl/aS
iJCOMhaVXyS5jedy+XBdHvA=
=EF1B
-----END PGP SIGNATURE-----


More information about the grsecurity mailing list