El lun, 18-04-2005 a las 16:01 -0400, Rik van Riel escribió:
> On Mon, 18 Apr 2005, Lorenzo Hernández García-Hierro wrote:
>
> > Adding a "trusted user group"-like configuration option could be useful,
> > as it's done within grsecurity, among that the whole thing might be good
> > to depend on a
El lun, 18-04-2005 a las 15:24 -0400, Rik van Riel escribió:
> This looks like a very bad default to me!
>
> Your patch would force people to run system monitoring
> applications as root, because otherwise they cannot get
> some of the information they can get now. Forcing that
> these applicatio
El lun, 18-04-2005 a las 12:26 -0700, David S. Miller escribió:
> Stephen Hemminger has already added TCP port randomization on
> connect() to the 2.6.x tree. See
> net/ipv4/tcp_ipv4.c:tcp_v4_hash_connect(), where randomized port
> selection occurs. And unlike your patch, Stephen did add ipv6
> s
El lun, 18-04-2005 a las 15:05 -0400, Dave Jones escribió:
> This is utterly absurd. You can find out anything thats in /proc/cpuinfo
> by calling cpuid instructions yourself.
Right, it doesn't make it worthy enough to represent any risk.
> Please enlighten me as to what security gains we achieve
El lun, 18-04-2005 a las 15:27 -0400, Rik van Riel escribió:
> The same "this forces people to run system monitoring tasks
> as root, potentially opening themselves up to security holes"
> comment applies to this patch.
That's because the patch is split up, those bits are on the proc_misc
one.
I
Hi,
"When source port is generated on the fly for the TCP protocol (ie. with
connect() ) will
be altered so that the source port is generated at random, instead of a simple
incrementing algorithm."
Ported from grsecurity (http://www.grsecurity.net by Brad Spengler).
Instead of using the PaX & gr
This patch changes the permissions of the procfs entries ioports and
iomem to restrict non-root users from accessing them.
It's also available at
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_kernel_resource.c.patch.
(last patch from the procfs privacy patch-set)
The whole patch is
This patch changes the permissions of the procfs entry config.gz, thus,
non-root users are restricted from accessing it.
It's also available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_kernel_configs.c.patch
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2
This patch changes the permissions of the procfs entry kallsyms, thus,
non-root users are restricted from accessing it.
It's also available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_kernel_kallsyms.c.patch
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2
This patch changes the permissions of the /proc/net and /proc/bus
directory entries so non-root users are restricted from accessing them.
It's also available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_fs_proc_root.c.patch
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]
This patch changes the permissions of the following procfs entries to
restrict non-root users from accessing them:
- /proc/devices
- /proc/cmdline
- /proc/version
- /proc/uptime
- /proc/cpuinfo
- /proc/partitions
- /proc/stat
- /proc/interrupts
- /proc/slabinfo
- /proc/diskstats
- /pro
11 matches
Mail list logo
