2016-02-01 16:00 GMT+01:00 HacKurx: >>> 3] Consider adding in postinst "usermod -aG grsec-tpe root ||true" for >>> avoid many problems (systemd). >> >> That doesn't look like a good idea at first sight. First, I'm unsure if TPE >> restriction apply to uid 0 (and if adding it to grsec-tpe will change >> anything). Second, if it's actually useful, that's something which should be >> done on a per-system basis, I think. > > If I believe the TPE reverse restriction also applies to the uid 0.
Quick Test, only the user switch can be a problem (this is normal uid 1000): root@jessie:/home/user# find /bin -type d -exec chmod 775 {} \; root@jessie:/home/user# su user Impossible d'exécuter /bin/bash: Permission non accordée root@jessie:/home/user# tail /var/log/syslog Feb 2 10:52:34 jessie kernel: [ 207.096131] grsec: denied untrusted exec (due to file in group-writable directory) of /bin/bash by /bin/bash[su:3967] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/su[su:3966] uid/euid:0/0 gid/egid:1000/1000 Feb 2 10:52:34 jessie kernel: [ 207.096202] grsec: denied untrusted exec (due to file in group-writable directory) of /bin/bash by /bin/bash[su:3967] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/su[su:3966] uid/euid:0/0 gid/egid:1000/1000 So I add root in this group for nothing :) So the only thing that might be useful for people to use steam or other: read -p "Ajouter l'utilisateur courant dans les groupes grsec-allow-tpe et grsec-allow-proc [O/n] " repvar if [ "$repvar" = "N" ] || [ "$repvar" = "n" ] ; then echo -n "OK, seul root sera privilégié." else usermod -aG grsec-allow-tpe `cat /etc/group | grep 'x:1000' | awk -F: '{ print $1 }'` ||true usermod -aG grsec-allow-proc `cat /etc/group | grep 'x:1000' | awk -F: '{ print $1 }'` ||true fi -- Best regards, HacKurx (Loic)