diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2012-07-29 20:14:42 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2012-07-29 20:14:42 -0400 |
| commit | 186635ac6f72fb55b072ad23c93c102dd65e50d6 (patch) | |
| tree | 66877e04242faef02a6921f570f40307b7f5d8a0 /3.2.24/4450_grsec-kconfig-default-gids.patch | |
| parent | Grsec/PaX: 2.9.1-{2.6.32.59,3.2.23,3.4.6}-201207242237 (diff) | |
| download | hardened-patchset-186635ac6f72fb55b072ad23c93c102dd65e50d6.tar.gz hardened-patchset-186635ac6f72fb55b072ad23c93c102dd65e50d6.tar.bz2 hardened-patchset-186635ac6f72fb55b072ad23c93c102dd65e50d6.zip | |
Grsec/PaX: 2.9.1-{2.6.32.59,3.2.24,3.4.6}-20120728194620120728
Diffstat (limited to '3.2.24/4450_grsec-kconfig-default-gids.patch')
| -rw-r--r-- | 3.2.24/4450_grsec-kconfig-default-gids.patch | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/3.2.24/4450_grsec-kconfig-default-gids.patch b/3.2.24/4450_grsec-kconfig-default-gids.patch new file mode 100644 index 0000000..0ab1250 --- /dev/null +++ b/3.2.24/4450_grsec-kconfig-default-gids.patch @@ -0,0 +1,77 @@ +From: Kerin Millar <kerframil@gmail.com> + +grsecurity contains a number of options which allow certain protections +to be applied to or exempted from members of a given group. However, the +default GIDs specified in the upstream patch are entirely arbitrary and +there is no telling which (if any) groups the GIDs will correlate with +on an end-user's system. Because some users don't pay a great deal of +attention to the finer points of kernel configuration, it is probably +wise to specify some reasonable defaults so as to stop careless users +from shooting themselves in the foot. + +diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig +--- a/grsecurity/Kconfig 2011-12-12 16:54:30.000000000 -0500 ++++ b/grsecurity/Kconfig 2011-12-12 16:55:09.000000000 -0500 +@@ -249,7 +249,7 @@ + config GRKERNSEC_PROC_GID + int "GID for special group" + depends on GRKERNSEC_PROC_USERGROUP +- default 1001 ++ default 10 + + config GRKERNSEC_PROC_ADD + bool "Additional restrictions" +@@ -520,7 +520,7 @@ + config GRKERNSEC_AUDIT_GID + int "GID for auditing" + depends on GRKERNSEC_AUDIT_GROUP +- default 1007 ++ default 100 + + config GRKERNSEC_EXECLOG + bool "Exec logging" +@@ -735,7 +735,7 @@ + config GRKERNSEC_TPE_GID + int "GID for untrusted users" + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT +- default 1005 ++ default 100 + help + Setting this GID determines what group TPE restrictions will be + *enabled* for. If the sysctl option is enabled, a sysctl option +@@ -744,7 +744,7 @@ + config GRKERNSEC_TPE_GID + int "GID for trusted users" + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT +- default 1005 ++ default 10 + help + Setting this GID determines what group TPE restrictions will be + *disabled* for. If the sysctl option is enabled, a sysctl option +@@ -819,7 +819,7 @@ + config GRKERNSEC_SOCKET_ALL_GID + int "GID to deny all sockets for" + depends on GRKERNSEC_SOCKET_ALL +- default 1004 ++ default 65534 + help + Here you can choose the GID to disable socket access for. Remember to + add the users you want socket access disabled for to the GID +@@ -840,7 +840,7 @@ + config GRKERNSEC_SOCKET_CLIENT_GID + int "GID to deny client sockets for" + depends on GRKERNSEC_SOCKET_CLIENT +- default 1003 ++ default 65534 + help + Here you can choose the GID to disable client socket access for. + Remember to add the users you want client socket access disabled for to +@@ -858,7 +858,7 @@ + config GRKERNSEC_SOCKET_SERVER_GID + int "GID to deny server sockets for" + depends on GRKERNSEC_SOCKET_SERVER +- default 1002 ++ default 65534 + help + Here you can choose the GID to disable server socket access for. + Remember to add the users you want server socket access disabled for to |