2016-02-01 16:00 GMT+01:00 HacKurx:
>>> 3] Consider adding in postinst "usermod -aG grsec-tpe root ||true" for
>>> avoid many problems (systemd).
>>
>> That doesn't look like a good idea at first sight. First, I'm unsure if TPE
>> restriction apply to uid 0 (and if adding it to grsec-tpe will change
>> anything). Second, if it's actually useful, that's something which should be
>> done on a per-system basis, I think.
>
> If I believe the TPE reverse restriction also applies to the uid 0.
Quick Test, only the user switch can be a problem (this is normal uid 1000):
root@jessie:/home/user# find /bin -type d -exec chmod 775 {} \;
root@jessie:/home/user# su user
Impossible d'exécuter /bin/bash: Permission non accordée
root@jessie:/home/user# tail /var/log/syslog
Feb 2 10:52:34 jessie kernel: [ 207.096131] grsec: denied untrusted
exec (due to file in group-writable directory) of /bin/bash by
/bin/bash[su:3967] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/su[su:3966] uid/euid:0/0 gid/egid:1000/1000
Feb 2 10:52:34 jessie kernel: [ 207.096202] grsec: denied untrusted
exec (due to file in group-writable directory) of /bin/bash by
/bin/bash[su:3967] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/su[su:3966] uid/euid:0/0 gid/egid:1000/1000
So I add root in this group for nothing :)
So the only thing that might be useful for people to use steam or other:
read -p "Ajouter l'utilisateur courant dans les groupes
grsec-allow-tpe et grsec-allow-proc [O/n] " repvar
if [ "$repvar" = "N" ] || [ "$repvar" = "n" ] ; then
echo -n "OK, seul root sera privilégié."
else
usermod -aG grsec-allow-tpe `cat /etc/group | grep 'x:1000' |
awk -F: '{ print $1 }'` ||true
usermod -aG grsec-allow-proc `cat /etc/group | grep 'x:1000' |
awk -F: '{ print $1 }'` ||true
fi
--
Best regards,
HacKurx (Loic)
