[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Stable server hacked

On Wed, 2003-08-13 at 18:39, valerian wrote:
> grsec handles this by allowing you to restrict Linux capabilities for a
> process.  For example, there's no reason /usr/sbin/apache should have
> access to CAP_SYS_ADMIN (allows mount/umount, amongst other things) or
> CAP_SYS_PTRACE (run ptrace) or many others.

But Linux capabilities are so weak.  They won't protect an apache master
process that runs as root from scribbling over /etc/passwd and giving an
attacker a new uid 0 shell account, for example.  At that point it's
really game over.  The attacker then logs in, and has all the
capabilities.  From there, they have access to /dev/mem, where they can
runtime patch the kernel and kill off grsecurity or do whatever else
they want.

> Anyway, since grsec uses PaX, it's very unlikely that anyone will "take
> control" of apache through a buffer overflow. ;-)

>From what I understand it is often possible to evade these kinds of

Anyways, I just wanted to point out that while grsecurity probably helps
somewhat, it provides significantly less security than a system like
SELinux.  Its sole advantage as far as I can tell is that it's somewhat
easier to set up.

Reply to: