On Thursday 03 January 2008 00:19:27, brant williams wrote:
> You should recompile your kernel and choose a different gid for tpe
> (anything above 1024 would be a good choice). Alternatively, you could
> turn the feature off.
make sense, but using sysctl is ok since I've enable the sysctl features under
grsecurity, should be something like:
sysctl -w kernel.grsecurity.tpe=0
Thanks for help
Wang
> brant williams
> FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
>
> On Thu, 3 Jan 2008, Wang, Baojun wrote:
> > Date: Thu, 3 Jan 2008 00:11:10 +0800
> > From: "Wang, Baojun" <wangbj@lzu.edu.cn>
> > Reply-To: gentoo-hardened@lists.gentoo.org
> > To: gentoo-hardened@lists.gentoo.org
> > Cc: pageexec@freemail.hu
> > Subject: Re: [gentoo-hardened] Fwd: hardened gentoo
> > mailman/postfix/apache notes?
> >
> > On Wednesday 02 January 2008 21:41:13, pageexec@freemail.hu wrote:
> >
> >> On 2 Jan 2008 at 22:09, Wang, Baojun wrote:
> >>> Jan 2 12:20:07 mail [687055.942454] grsec: From 202.201.14.141: denied
> >>> untrusted exec of /usr/local/mailman/mail/mailman by /usr/lib/postfix/
> >>> local[local:17733] uid/euid:280/280 gid/egid:280/280,
> >>> parent /usr/lib/postfix/local[local:17732] uid/euid:0/207
> >>> gid/egid:0/207
> >>
> >> 'untrusted exec' is a sign of your using TPE, i suggest you check
> >> the kernel help on it and make sure the access rights on the path
> >> leading up to the executables are proper (in particular, only root
> >> should be able to write to the executables).
> >
> > OK, I've check TPE, since I'm using Grsecurity level hardened gentoo, TPE
> > is enabled by default, and I've configured the gid to trusted users to 10
> > (wheel), but mailman is 280, I'd like to leave it as it is, but I have to
> > add 280 to tpe_gid, I've tried
> >
> > echo "10 280" > /proc/sys/kernel/grsecurity
> >
> > but after that only 280 is in the (proc) file, is there any way to add
> > more than 1 group to tpe_gid? Also, even I echo 280
> > to /proc/sys/kernel/grsecurity, it still doesn't solve the problem, now
> > the problem is solved by echo 0 > /proc/sys/kernel/grsecurity/tpe, but I
> > wonder there is a better solution instead.
> >
> >>> or should I chown -R root:root /usr/local/mainman and chown a-S
> >>> /usr/local/manman?
> >>
> >> something like that will be needed, yes, but i don't know what exact
> >> permissions mailman needs to properly function, so be careful.
> >
> > I have also tried this, but mailman said it expect the program is invoked
> > by group mailman ;-(, otherwise I need to configure mailman manually, I
> > don't like to to that.
> >
> > --
> > Wang, Baojun ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ*
> > ÂÂ*Lanzhou University Distributed & Embedded System Lab ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ*
> > ÂÂ*http://dslab.lzu.edu.cn School of Information Science and Engeneering
> > ÂÂ* ÂÂ* wangbj_AT_lzu.edu.cn Tianshui South Road 222. Lanzhou 730000 ÂÂ* ÂÂ*
> > ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* .P.R.China Tel:+86-931-8912025 ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ*
> > ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ*Fax:+86-931-8912022
--
Wang, Baojun Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*Lanzhou University
Distributed & Embedded System Lab Â* Â* Â* Â* Â* Â* Â*http://dslab.lzu.edu.cn
School of Information Science and Engeneering Â* Â* wangbj_AT_lzu.edu.cn
Tianshui South Road 222. Lanzhou 730000 Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* .P.R.China
Tel:+86-931-8912025 Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*Fax:+86-931-8912022
Fwd: hardened gentoo mailman/postfix/apache notes?
