Joined: 23 Oct 2003
Location: Nancy, France
|Posted: Thu Apr 20, 2006 8:04 pm Post subject: [TIP] radvd on a hardened system
I recently encountered an annoying problem trying to configure IPv6 on my network: /etc/init.d/radvd start failed because of a segmentation fault.
Here is what I got in /var/log/messages:
|Apr 20 20:11:20 localhost radvd: version 0.9.1 started
Apr 20 20:11:20 localhost radvd: can't open /proc/net/if_inet6: Permission denied
Apr 20 20:11:20 localhost grsec: From 192.168.0.21: signal 11 sent to /usr/sbin/radvd[radvd:18883] uid/euid:102/102 gid/egid:408/408, parent /sbin/runscript.sh[runscript.sh:26376] uid/euid:0/0 gid/egid:0/0
Apr 20 20:11:36 localhost rc-scripts: status: stopped
Oops, a permission problem with /proc/net/if_inet6...
|localhost ~ # ls -l /proc/ | grep net
dr-xr-x--- 7 root 1001 0 avr 20 21:48 net/
Hey, user radvd can't read /proc/net! And obviously I don't want to run radvd as root...
The reason is that grsecurity causes /proc restrictions when its security level is set to Medium or higher. (Have a look at your kernel configuration (Security options --> Grsecurity --> Filesystem Protections) for more details). However /proc is readable for GID 1001. So, let's create a group with GID 1001 and add user radvd to this group!
|localhost ~ # groupadd -g 1001 grsec
localhost ~ # usermod -G radvd,grsec radvd
localhost ~ # ls -l /proc/ | grep net
dr-xr-x--- 7 root grsec 0 avr 20 21:58 net/
localhost ~ # /etc/init.d/radvd start
* Enabling IPv6 forwarding ... [ ok ]
* Starting IPv6 Router Advertisement Daemon ... [ ok ]
localhost ~ #
Now it works perfectly
It took me half an hour to solve this problem, there was a post about this problem on the grsec forum but the only solution I could find there was to run radvd as root... I hope this will help other people in the future
There's no place like ::1