store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Thu Oct 02, 2014 10:28 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 20 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Mon Apr 04, 2011 4:33 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
breun wrote:
I just found out that ptrace protections can actually be disabled without a reboot, so that makes things less bad.


Hm, that only works if the kernel is not locked, which it is by default if you use the ASL kernel (ALLOW_kmod_loading="no" in /etc/asl/config, you can find the current lock setting in /proc/sys/kernel/grsecurity/grsec_lock (1 means enabled, 0 means disabled)).

I thought I would only temporarily disable ptrace protections when access to the Plesk License Manager page is required, but since I don't like to reboot production servers for that, the only way to achieve that is to not lock the kernel.

What do you recommend?

1. Locked kernel with ptrace protections disabled (always allowing access to the Plesk License Manager page).
2. Unlocked kernel with ptrace protections enabled (allowing for temporarily disabling ptrace protections when needed).

I guess allowing kernel module loading and modifying kernel settings is a bigger security risk than not having ptrace protections enabled, right?

Is anyone able to use the Plesk License Manager page of any version of Plesk while having ptrace protections enabled? If so, what version of Plesk?

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Mon Apr 04, 2011 1:26 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3638
Location: Chantilly, VA
Quote:
1. Locked kernel with ptrace protections disabled (always allowing access to the Plesk License Manager page).


Most secure.

Quote:
2. Unlocked kernel with ptrace protections enabled (allowing for temporarily disabling ptrace protections when needed).


Not secure at all, the kernel protections could be bypassed by an exploit. So you always want to lock the kernel. In short, if you are using Plesk, and a version that has this bug, you'll have to disable ptrace protections. Sorry, theres nothing we can do to aleviate it, its a bug in Plesk, its incorrectly erroring out because it thinks you are trying to debug it (which you are not). Definitely open a bug report with Parallels, it *is* a bug, nothing is debugging plesk, *nothing*.

Quote:
I guess allowing kernel module loading and modifying kernel settings is a bigger security risk than not having ptrace protections enabled, right?


Exactly. Disabling the ptrace protections is not a huge risk. Running an unlocked kernel is huge, we do not recommend it. :-)

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Mon Apr 04, 2011 3:26 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 772
Location: Sweden
breun wrote:
Is anyone able to use the Plesk License Manager page of any version of Plesk while having ptrace protections enabled? If so, what version of Plesk?


Yes, I am using Plesk 8.6 with kernel 2.6.32.28-1.art.i686.PAE and License Manager is working fine. My test server with Plesk 10 is failing misarably though...


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Mon Apr 04, 2011 3:50 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3638
Location: Chantilly, VA
Sadly, you'll have to disable the protection, theres nothing we can do, its a bug in Plesk not in the kernel (as witnessed by the fact that older versions of PSA dont have this bug).

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Mon Apr 04, 2011 6:47 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
So it seems that Plesk 8.6 works fine with ptrace protections enabled, but 9.5 and 10 don't. Mike, maybe ASL could detect this and act accordingly?

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 20 posts ]  Go to page Previous  1, 2

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group