diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2012-10-13 10:13:24 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2012-10-13 10:13:24 -0400 |
commit | 4d81df47c8520897537f6bbc39d6cbae317b80fb (patch) | |
tree | 4826a8ad9aa46505f9c52aef01d1173748e47a58 | |
parent | scripts/just_fetch.pl: add gpg verification (diff) | |
download | hardened-patchset-4d81df47c8520897537f6bbc39d6cbae317b80fb.tar.gz hardened-patchset-4d81df47c8520897537f6bbc39d6cbae317b80fb.tar.bz2 hardened-patchset-4d81df47c8520897537f6bbc39d6cbae317b80fb.zip |
{2.6.32,3.2.31,3.6.1}/4450_grsec-kconfig-default-gids.patch: fix (un)trusted GIDs
-rw-r--r-- | 2.6.32/4450_grsec-kconfig-default-gids.patch | 37 | ||||
-rw-r--r-- | 3.2.31/4450_grsec-kconfig-default-gids.patch | 37 | ||||
-rw-r--r-- | 3.6.1/4450_grsec-kconfig-default-gids.patch | 37 |
3 files changed, 96 insertions, 15 deletions
diff --git a/2.6.32/4450_grsec-kconfig-default-gids.patch b/2.6.32/4450_grsec-kconfig-default-gids.patch index 4e54edf..d4b0b7e 100644 --- a/2.6.32/4450_grsec-kconfig-default-gids.patch +++ b/2.6.32/4450_grsec-kconfig-default-gids.patch @@ -13,9 +13,9 @@ attention to the finer points of kernel configuration, it is probably wise to specify some reasonable defaults so as to stop careless users from shooting themselves in the foot. -diff -Nuar a/grsecurity/Kconfig b/Kconfig ---- a/grsecurity/Kconfig 2012-07-01 12:54:58.000000000 -0400 -+++ b/grsecurity/Kconfig 2012-07-01 13:00:04.000000000 -0400 +diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig +--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 ++++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 @@ -522,7 +522,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" @@ -71,8 +71,8 @@ diff -Nuar a/grsecurity/Kconfig b/Kconfig Here you can choose the GID to disable server socket access for. Remember to add the users you want server socket access disabled for to diff -Nuar a/security/Kconfig b/security/Kconfig ---- a/security/Kconfig 2012-07-01 12:51:41.000000000 -0400 -+++ b/security/Kconfig 2012-07-01 13:00:23.000000000 -0400 +--- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400 ++++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400 @@ -191,7 +191,7 @@ config GRKERNSEC_PROC_GID @@ -82,3 +82,30 @@ diff -Nuar a/security/Kconfig b/security/Kconfig help Setting this GID determines which group will be exempted from grsecurity's /proc restrictions, allowing users of the specified +@@ -202,7 +202,7 @@ + config GRKERNSEC_TPE_UNTRUSTED_GID + int "GID for TPE-untrusted users" + depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT +- default 1005 ++ default 100 + help + Setting this GID determines which group untrusted users should + be added to. These users will be placed under grsecurity's Trusted Path +@@ -214,7 +214,7 @@ + config GRKERNSEC_TPE_TRUSTED_GID + int "GID for TPE-trusted users" + depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT +- default 1005 ++ default 10 + help + Setting this GID determines what group TPE restrictions will be + *disabled* for. If the sysctl option is enabled, a sysctl option +@@ -223,7 +223,7 @@ + config GRKERNSEC_SYMLINKOWN_GID + int "GID for users with kernel-enforced SymlinksIfOwnerMatch" + depends on GRKERNSEC_CONFIG_SERVER +- default 1006 ++ default 100 + help + Setting this GID determines what group kernel-enforced + SymlinksIfOwnerMatch will be enabled for. If the sysctl option diff --git a/3.2.31/4450_grsec-kconfig-default-gids.patch b/3.2.31/4450_grsec-kconfig-default-gids.patch index 4e54edf..d4b0b7e 100644 --- a/3.2.31/4450_grsec-kconfig-default-gids.patch +++ b/3.2.31/4450_grsec-kconfig-default-gids.patch @@ -13,9 +13,9 @@ attention to the finer points of kernel configuration, it is probably wise to specify some reasonable defaults so as to stop careless users from shooting themselves in the foot. -diff -Nuar a/grsecurity/Kconfig b/Kconfig ---- a/grsecurity/Kconfig 2012-07-01 12:54:58.000000000 -0400 -+++ b/grsecurity/Kconfig 2012-07-01 13:00:04.000000000 -0400 +diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig +--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 ++++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 @@ -522,7 +522,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" @@ -71,8 +71,8 @@ diff -Nuar a/grsecurity/Kconfig b/Kconfig Here you can choose the GID to disable server socket access for. Remember to add the users you want server socket access disabled for to diff -Nuar a/security/Kconfig b/security/Kconfig ---- a/security/Kconfig 2012-07-01 12:51:41.000000000 -0400 -+++ b/security/Kconfig 2012-07-01 13:00:23.000000000 -0400 +--- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400 ++++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400 @@ -191,7 +191,7 @@ config GRKERNSEC_PROC_GID @@ -82,3 +82,30 @@ diff -Nuar a/security/Kconfig b/security/Kconfig help Setting this GID determines which group will be exempted from grsecurity's /proc restrictions, allowing users of the specified +@@ -202,7 +202,7 @@ + config GRKERNSEC_TPE_UNTRUSTED_GID + int "GID for TPE-untrusted users" + depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT +- default 1005 ++ default 100 + help + Setting this GID determines which group untrusted users should + be added to. These users will be placed under grsecurity's Trusted Path +@@ -214,7 +214,7 @@ + config GRKERNSEC_TPE_TRUSTED_GID + int "GID for TPE-trusted users" + depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT +- default 1005 ++ default 10 + help + Setting this GID determines what group TPE restrictions will be + *disabled* for. If the sysctl option is enabled, a sysctl option +@@ -223,7 +223,7 @@ + config GRKERNSEC_SYMLINKOWN_GID + int "GID for users with kernel-enforced SymlinksIfOwnerMatch" + depends on GRKERNSEC_CONFIG_SERVER +- default 1006 ++ default 100 + help + Setting this GID determines what group kernel-enforced + SymlinksIfOwnerMatch will be enabled for. If the sysctl option diff --git a/3.6.1/4450_grsec-kconfig-default-gids.patch b/3.6.1/4450_grsec-kconfig-default-gids.patch index 4e54edf..d4b0b7e 100644 --- a/3.6.1/4450_grsec-kconfig-default-gids.patch +++ b/3.6.1/4450_grsec-kconfig-default-gids.patch @@ -13,9 +13,9 @@ attention to the finer points of kernel configuration, it is probably wise to specify some reasonable defaults so as to stop careless users from shooting themselves in the foot. -diff -Nuar a/grsecurity/Kconfig b/Kconfig ---- a/grsecurity/Kconfig 2012-07-01 12:54:58.000000000 -0400 -+++ b/grsecurity/Kconfig 2012-07-01 13:00:04.000000000 -0400 +diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig +--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 ++++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 @@ -522,7 +522,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" @@ -71,8 +71,8 @@ diff -Nuar a/grsecurity/Kconfig b/Kconfig Here you can choose the GID to disable server socket access for. Remember to add the users you want server socket access disabled for to diff -Nuar a/security/Kconfig b/security/Kconfig ---- a/security/Kconfig 2012-07-01 12:51:41.000000000 -0400 -+++ b/security/Kconfig 2012-07-01 13:00:23.000000000 -0400 +--- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400 ++++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400 @@ -191,7 +191,7 @@ config GRKERNSEC_PROC_GID @@ -82,3 +82,30 @@ diff -Nuar a/security/Kconfig b/security/Kconfig help Setting this GID determines which group will be exempted from grsecurity's /proc restrictions, allowing users of the specified +@@ -202,7 +202,7 @@ + config GRKERNSEC_TPE_UNTRUSTED_GID + int "GID for TPE-untrusted users" + depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT +- default 1005 ++ default 100 + help + Setting this GID determines which group untrusted users should + be added to. These users will be placed under grsecurity's Trusted Path +@@ -214,7 +214,7 @@ + config GRKERNSEC_TPE_TRUSTED_GID + int "GID for TPE-trusted users" + depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT +- default 1005 ++ default 10 + help + Setting this GID determines what group TPE restrictions will be + *disabled* for. If the sysctl option is enabled, a sysctl option +@@ -223,7 +223,7 @@ + config GRKERNSEC_SYMLINKOWN_GID + int "GID for users with kernel-enforced SymlinksIfOwnerMatch" + depends on GRKERNSEC_CONFIG_SERVER +- default 1006 ++ default 100 + help + Setting this GID determines what group kernel-enforced + SymlinksIfOwnerMatch will be enabled for. If the sysctl option |