On Wed, May 28, 2003 at 11:10:54PM +0300, Timo Sirainen wrote:
> On Wed, 28 May 2003 01:31:10 -0700, Caskey Dickson wrote:
>
> > Unless you need grsecurity, I suggest that you get rid of it. If you don't
> > know what it is, then odds are that you don't really need it. Either way,
> > either apache or your app running via an apache .so is running afoul of grsec.
>
> Well, really off topic, but I'd say it's exactly the opposite. grsec
> should be used especially when you don't know if you need it or not. It
> makes your Linux much more secure against crackers with very little
> trouble. I wouldn't run a public Linux server without it.
I agree, grsec, or any MAC system is in general a Good Thing(TM). However,
as you mentioned, it causes 'very little trouble'. Unfortunately, in this
case we have 'trouble'. It would seem that the MUA being run through
apache does not live well in a MAC environment and grsec is killing apache
as a result. (Either because apache or the MUA runs afoul of the MAC.)
Not all software can be run unmodified in a MAC environment and unless
this person has the ability to determine where the failure is coming
from (which I simply assumed they didn't), they are better off turning
off an experimental system like grsec and running in a DAC environment.
It is a DAC (i.e. POSIX) environment, I might add, that his MUA, courier
and binc were designed for.
Configuration of grsec is non-trivial when things don't "just work" and
my goal was to save this individual the effort of learning grsec and
binc and apache and his MUA well enough to make it work. This is why
I said, "if you don't know what it is, then odds are you don't really
need it." If the person does know what it is and that they want it,
they can go about making it work.
C=)
P.S. It is heartening to see that binc wasn't being killed outright
by grsec.
--
--------------------------------------------------------------------------
Better the hard truth than the comforting fantasy. -- Carl Sagan
--------------------------------------------------------------------------
Caskey <caskey*technocage.com> /// TechnoCage Inc.
--------------------------------------------------------------------------
A presumption on your part does not constitute an obligation on my part.
