[tech] Grsec
Matt Johnston
matt at ucc.asn.au
Sun Dec 7 16:07:38 WST 2003
On Sun, Dec 07, 2003 at 11:51:46AM +0800, Paul Marinceu wrote:
> Hiho,
>
> I'd like to propose that grsec be removed from ucc kernels.
> Yes, I know people may be against it, therefore I'll outline my point:
> (apologies to Bernard who spent his time making grsec work)
>
> - ucc is not _much_ safer with grsec as there are other ways to get in.
> - the main point: people can no longer hack happily on the affected
> machines. The grsec kernel is too panicky and kills off any processes
> that are using unsafe syscalls. This obviates the usefulness of the ucc,
> making our machines as restrictive as cs boxen.
The current setup with grsec probably is a bit restrictive, but some of the
basic features (PaX and stuff) are worth keeping. Exploitable programs
don't always get patched as soon as someone knows there's a vulerability,
so it is worth having some additional measures.
> Also, the side effects can be very obscure and hard to pinpoint. Another
> thing to add to someone who's developing experimental/pre-release code
> that's buggy anyway.
Grsec's logging is quite good. dmesg|tail has pinpointed every problem we've
seen so far (afaik, let me know otherwise).
> I guess grsec can be configured to be less restrictive...but will this
> work. Maybe next week, I'll find something else that breaks. Also,
> lowering the security goes against the whole point of having grsec...
Not really. chpax to turn off the restrictions can only be done if you're
already in a position to do bad things, so it doesn't make a huge
difference.
I'll turn off some of the more troublesome things, and I think there'll be
no major usability issues.
Matt
More information about the tech
mailing list