[asl-2.0] kernel 2.6.32.28

breun · **Posted:** Mon Apr 04, 2011 4:33 am

breun wrote:

I just found out that ptrace protections can actually be disabled without a reboot, so that makes things less bad.

Hm, that only works if the kernel is not locked, which it is by default if you use the ASL kernel (ALLOW_kmod_loading="no" in /etc/asl/config, you can find the current lock setting in /proc/sys/kernel/grsecurity/grsec_lock (1 means enabled, 0 means disabled)).

I thought I would only temporarily disable ptrace protections when access to the Plesk License Manager page is required, but since I don't like to reboot production servers for that, the only way to achieve that is to not lock the kernel.

What do you recommend?

1. Locked kernel with ptrace protections disabled (always allowing access to the Plesk License Manager page).
2. Unlocked kernel with ptrace protections enabled (allowing for temporarily disabling ptrace protections when needed).

I guess allowing kernel module loading and modifying kernel settings is a bigger security risk than not having ptrace protections enabled, right?

Is anyone able to use the Plesk License Manager page of any version of Plesk while having ptrace protections enabled? If so, what version of Plesk?

mikeshinn · **Posted:** Mon Apr 04, 2011 1:26 pm

Quote:

1. Locked kernel with ptrace protections disabled (always allowing access to the Plesk License Manager page).

Most secure.

Quote:

2. Unlocked kernel with ptrace protections enabled (allowing for temporarily disabling ptrace protections when needed).

Not secure at all, the kernel protections could be bypassed by an exploit. So you always want to lock the kernel. In short, if you are using Plesk, and a version that has this bug, you'll have to disable ptrace protections. Sorry, theres nothing we can do to aleviate it, its a bug in Plesk, its incorrectly erroring out because it thinks you are trying to debug it (which you are not). Definitely open a bug report with Parallels, it *is* a bug, nothing is debugging plesk, *nothing*.

Quote:

I guess allowing kernel module loading and modifying kernel settings is a bigger security risk than not having ptrace protections enabled, right?

Exactly. Disabling the ptrace protections is not a huge risk. Running an unlocked kernel is huge, we do not recommend it. :-)

biggles · **Posted:** Mon Apr 04, 2011 3:26 pm

breun wrote:

Is anyone able to use the Plesk License Manager page of any version of Plesk while having ptrace protections enabled? If so, what version of Plesk?

Yes, I am using Plesk 8.6 with kernel 2.6.32.28-1.art.i686.PAE and License Manager is working fine. My test server with Plesk 10 is failing misarably though...

mikeshinn · **Posted:** Mon Apr 04, 2011 3:50 pm

Sadly, you'll have to disable the protection, theres nothing we can do, its a bug in Plesk not in the kernel (as witnessed by the fact that older versions of PSA dont have this bug).

breun · **Posted:** Mon Apr 04, 2011 6:47 pm

So it seems that Plesk 8.6 works fine with ptrace protections enabled, but 9.5 and 10 don't. Mike, maybe ASL could detect this and act accordingly?

[asl-2.0] kernel 2.6.32.28

Who is online