Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[TIP] radvd on a hardened system
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
MagicTom
n00b
n00b


Joined: 23 Oct 2003
Posts: 60
Location: Nancy, France
PostPosted: Thu Apr 20, 2006 8:04 pm    Post subject: [TIP] radvd on a hardened system Reply with quote
Hello,

I recently encountered an annoying problem trying to configure IPv6 on my network: /etc/init.d/radvd start failed because of a segmentation fault.

Here is what I got in /var/log/messages:
Code:
Apr 20 20:11:20 localhost radvd[18883]: version 0.9.1 started
Apr 20 20:11:20 localhost radvd[18883]: can't open /proc/net/if_inet6: Permission denied
Apr 20 20:11:20 localhost grsec: From 192.168.0.21: signal 11 sent to /usr/sbin/radvd[radvd:18883] uid/euid:102/102 gid/egid:408/408, parent /sbin/runscript.sh[runscript.sh:26376] uid/euid:0/0 gid/egid:0/0
Apr 20 20:11:36 localhost rc-scripts: status:  stopped


Oops, a permission problem with /proc/net/if_inet6...
Code:
localhost ~ # ls -l /proc/ | grep net
dr-xr-x---  7 root   1001         0 avr 20 21:48 net/

Hey, user radvd can't read /proc/net! And obviously I don't want to run radvd as root...

The reason is that grsecurity causes /proc restrictions when its security level is set to Medium or higher. (Have a look at your kernel configuration (Security options --> Grsecurity --> Filesystem Protections) for more details). However /proc is readable for GID 1001. So, let's create a group with GID 1001 and add user radvd to this group!

Code:
localhost ~ # groupadd -g 1001 grsec
localhost ~ # usermod -G radvd,grsec radvd
localhost ~ # ls -l /proc/ | grep net
dr-xr-x---  7 root   grsec         0 avr 20 21:58 net/
localhost ~ # /etc/init.d/radvd start
 * Enabling IPv6 forwarding ...                                     [ ok ]
 * Starting IPv6 Router Advertisement Daemon ...                    [ ok ]
localhost ~ #


Now it works perfectly :)

It took me half an hour to solve this problem, there was a post about this problem on the grsec forum but the only solution I could find there was to run radvd as root... I hope this will help other people in the future ;)
_________________
There's no place like ::1
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
PostPosted: Wed Jul 19, 2006 1:13 pm    Post subject: Reply with quote
Thanks for finding this out

I've added a note about this to the ebuild
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy