Hi,
The file "/proc/sys/kernel/randomize_va_space" has write permission for user as below:
[root@shagun ~]# ls -lrtZ /proc/sys/kernel/randomize_va_space
rw-r--r--. root root system_u:object_r:proc_security_t:s0 /proc/sys/kernel/randomize_va_space
If we want to change this permission to read only permission for the user. Is it possible?
And i found the code also:
kernel/sysctl.c @@ -1130,7 +1130,11 @@ static struct ctl_table kern_table[] = { .procname = "randomize_va_space", .data = &randomize_va_space, .maxlen = sizeof(int), +#ifdef CONFIG_ASLR_SYSCTL_READ_ONLY + .mode = 0444, +#else .mode = 0644, +#endif
can we make it as 0444, currently randomize_va_space is 644?
Please suggest.
Regards,
Shagun
can we make it as 0444, currently randomize_va_space is 644
Need info about kernel file "randomize_va_space"
Re: Need info about kernel file "randomize_va_space"
Please suggest that it is OK to change the permission for users as a read only of this file.
Regards,
Shagun
Regards,
Shagun
Re: Need info about kernel file "randomize_va_space"
What for? Root has full access to any file reagrdless of permissions.
Re: Need info about kernel file "randomize_va_space"
Because While running dASLR tool, "randomize_va_space unconfigurable" test in "Kernel Check" is FAILED.
As per support for dASLR tool, "randomize_va_space_unconfigurable" fail means that "/proc/sys/kernel/randomize_va_space" has write permission.
As per support for dASLR tool, "randomize_va_space_unconfigurable" fail means that "/proc/sys/kernel/randomize_va_space" has write permission.
Re: Need info about kernel file "randomize_va_space"
I cannot find this 'dASLR' tool anywhere on google. Where did you get it from? Who makes it? Are you sure its results are useful or even meaningful? I have checked a Debian system running a 4.14 kernel and the permissions on "/proc/sys/kernel/randomize_va_space" are still 644. The only thing that says that is incorrect is your unknown tool.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: Need info about kernel file "randomize_va_space"
Most probably the tool got access denied by SELINUX.
Check the /var/log/audit/audit.log for AVC denials , or test with 'setenforce 0' .
Do not disable SELINUX, as you will not get the necessary data that will allow your tool to access the /proc filesystem properly.
Once over, switch to 'setenforce 1' and then you can analyze via "sealert -a /var/log/audit/audit.log"
Check the /var/log/audit/audit.log for AVC denials , or test with 'setenforce 0' .
Do not disable SELINUX, as you will not get the necessary data that will allow your tool to access the /proc filesystem properly.
Once over, switch to 'setenforce 1' and then you can analyze via "sealert -a /var/log/audit/audit.log"
Re: Need info about kernel file "randomize_va_space"
The "file" is in /proc which means it's not a real file but a kernel construct. It has fixed ownership/permssions, defined in the kernel source and compiled in. I have checked the distro kernel, a Debian 4.14 kernel and the latest 5.1.15 ELRepo kernel-ml and all of them define the "file" in the same way with the same permissions.
The tool is either broken or the authors need to send a PR to Linus to get the mainline kernel source "fixed" though I am already fairly sure that it is correct and the tool is wrong.
The tool is either broken or the authors need to send a PR to Linus to get the mainline kernel source "fixed" though I am already fairly sure that it is correct and the tool is wrong.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke