Grsecurity & Ubuntu Feisty Server: Yay it’s working!

zsh in action

Grsecurity is a set of patches to the Linux 2.4 and 2.6 kernels that implements various security-oriented features such as stack randomization and permissions clamping to prevent common attacks against Linux systems from succeeding. I won’t go into an argument here about its effectiveness or its competitors, but I personally believe it’s a great defense barrier for public multiuser type systems.

Currently you must patch/compile manually, but that’s not the big roadblock… Sometimes turning hardening on too much will cause the system to fail to boot.

For Ubuntu, you need to disable CONFIG_COMPAT_VDSO in the kernel and possibly pass in “vdso=0” to the kernel at bootup via grub config. Otherwise, you’ll get the dreaded everything-segfaults-and-dies phenomenon. It looks something like this:

Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault

You get the point….

Once that’s done, I have been able to bump security level to HIGH with no problems whatsoever. It also helps to turn off kernel debugging in general, to avoid ridiculous 208MB large kernel packages!


1 Comment »

  1. Brano said

    i am quite newbie in linux world.
    Several days ago i installed Cache intersystems database on my ubuntu feisty machine. This software isnt directly supported for ubuntu, just for Suse and RedHat.
    When i try to login to its db session, sometimes it works and sometimes it prints “Shared memory segment does not exists” message.
    I found out, same problem happens on red hat when feature called “exec-shield ” is enabled.
    After many googling i obtained feeling that this article is somehow related to my problem. I tried procedure written in this article but without success.
    Pls, if you got some idea, i will appreciate it very much.
    Thanks for any help, Branislav Kalas.

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: