Home arrow Security arrow Page 4 - Unix Host Security: Hacks 11-20

Restrict Applications with grsecurity Hack #14 - Security

Security isn't a noun, it's a verb; not a product, but a process. Today, learn the hacks involved in reducing the risks involved in offering services on a Unix-based system. This the second part of chapter one in Network Security Hacks, by Andrew Lockhart (ISBN 0-596-00643-8, O'Reilly & Associates, 2004).

  1. Unix Host Security: Hacks 11-20
  2. Prevent Stack-Smashing AttacksHack #12
  3. Lock Down Your Kernel with grsecurity Hack #13
  4. Restrict Applications with grsecurity Hack #14
  5. Restrict System Calls with Systrace Hack #15
  6. Automated Systrace Policy Creation Hack #16
  7. Control Login Access with PAM Hack #17
  8. Restricted Shell Environments Hack #18
  9. Enforce User and Group Resource Limits Hack #19
  10. Automate System Updates Hack #20
By: O'Reilly Media
Rating: starstarstarstarstar / 31
May 10, 2004

print this article



Use Linux capabilities and grsecurity’s ACLs to restrict applications on your system.

Now that you have installed the grsecurity patches, you’ll probably want to make use of its flexible ACL system to further restrict the privileged applications on your system, beyond what grsecurity’s kernel security features provide. If you’re just joining us and are not familiar with grsecurity, read “Lock Down Your Kernel with grsecurity” [Hack #13] first.

To restrict specific applications, you will need to make use of the gradm utility, which can be downloaded from the main grsecurity site (http://www.grsecurity.net). You can compile and install it in the usual way: unpack the source distribution, change into the directory that it creates, and then run make && make install. This will install gradm in /sbin, create the /etc/grsec directory containing a default ACL, and install the manpage.

After gradm has been installed, the first thing you’ll want to do is create a password that gradm will use to authenticate itself to the kernel. You can do this by running gradm with the -P option:

# gradm -P
Setting up grsecurity ACL password
Re-enter Password:
Password written to /etc/grsec/pw.

To enable grsecurity’s ACL system, use this command:

# /sbin/gradm -E

Once you’re finished setting up your ACLs, you’ll probably want to add that command to the end of your system startup. You can do this by adding it to the end of /etc/rc.local or a similar script that is designated for customizing your system startup.

The default ACL installed in /etc/grsec/acl is quite restrictive, so you’ll want to create ACLs for the services and system binaries you want to use. For example, after the ACL system has been enabled, ifconfig will no longer be able to change interface characteristics, even when run as root:

# /sbin/ifconfig eth0:1 up
SIOCSIFADDR: Permission denied
SIOCSIFFLAGS: Permission denied
SIOCSIFFLAGS: Permission denied

The easiest way to set up an ACL for a particular command is to specify that you want to use grsecurity’s learning mode, rather than specifying each ACL manually. If you’ve enabled ACLs, you’ll need to temporarily disable them for your shell by running gradm -a. You’ll then be able to access files within /etc/grsec; otherwise, the directory will be hidden to you.

Add an entry like this to /etc/grsec/acl:

/sbin/ifconfig lo {
    /              h
    /etc/grsec     h

This is about the most restrictive ACL possible because it hides the root directory from the process and removes any privileges that it may need. The lo next to the binary to which the ACL applies says to use learning mode and to override the default ACL. After you’re done editing the ACLs, you’ll need to tell grsecurity to reload them by running gradm -R.

Now try to run the ifconfig command again:

# /sbin/ifconfig eth0:1 up
# /sbin/ifconfig eth0:1
eth0:1 Link encap:Ethernet HWaddr 00:0C:29:E2:2B:C1
inet addr: Bcast: Mask:
Interrupt:10 Base address:0x10e0

In addition to the command succeeding, grsecurity will create learning log entries. You can then use gradm to generate an ACL for the program based on these logs:

# gradm -a
# gradm -L -O stdout
/sbin/ifconfig o {
/usr/share/locale/locale.alias r
/usr/lib/locale/locale-archive r
/usr/lib/gconv/gconv-modules.cache r
/proc/net/unix r
/proc/net/dev r
/proc/net r
/lib/ld-2.3.2.so x
/lib/i686/libc-2.3.2.so rx
/etc/ld.so.cache r
/sbin/ifconfig x
/etc/grsec h
/ h

Now you can replace the learning ACL for /sbin/ifconfig in /etc/grsec/acl with this one, and ifconfig should work. You can then follow this process for each program that needs special permissions to function. Just make sure to try out anything you will want to do with those programs, to ensure that grsecurity’s learning mode will detect that it needs to perform a particular system call or open a specific file.

Using grsecurity to lock down applications can seem like tedious work at first, but it will ultimately create a system that gives each process only the permissions it needs to do its job—no more, no less. When you need to build a highly secured platform, grsecurity can provide very finely grained control over just about everything the system can possibly do. 

Buy the book!If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!

Visit the O'Reilly Network http://www.oreillynet.com for more online content.

>>> More Security Articles          >>> More By O'Reilly Media

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates


Dev Shed Tutorial Topics: