Posted on 8 Comments

grsecurity

Hint… don’t install stuff like this on your production servers unless you have advanced Linux skills… http://www.grsecurity.net/
It’s custom kernel modifications. So any time you upgrade kernel, you need an update of this stuff as well. And never mind the potential bugs that in themselves can cause security and reliability issues.
You don’t “just” want to install any such package on a production server (MySQL or otherwise), unless you really really know what you’re doing. It’s just not a userspace kind of thing.

Apparently it’s something that some cPanel deployments install to further secure their system, but that comes to the fundamental question of whether you want to be running cPanel in serious production environments…. beef for another post, and I’ll get to that shortly.

Posted on 8 Comments

8 thoughts on “grsecurity

  1. I object to telling people not to care about their security like this. I run grsec for the Gentoo.org infrastructure, including a number of MySQL servers, without issues.

    The problem is that people don’t READ the Kconfig messages, or realize that you actually need to configure things once you install them. It’s NOT fire-and-forget.

    cPanel and every other control panel need to die a horrible death anyway.

  2. Well yes Robin, but the difference is you are an uberguru with that stuff and extremely aware of how the Gentoo kernel infrastructure works.
    I reckon that’s a pretty unique situation, and has no bearing on the world in general out there….

    If you’re a subject matter expert, then any general advice and disclaimer and “do not touch/use” tends to not apply. But would you recommend people use tools such as the one mentioned (not even singling out this one package!) if they’re not experienced sysadmins?

  3. Selecting grsec’s low and medium security options will cause minimal changes – nothing that should break MySQL at all. I’d go as far as saying even unexperienced users can safely select them with a single note: make sure you run stuff that needs explicit /proc access (like identd with an extra GID of 1001 or whatever you set CONFIG_GRKERNSEC_PROC_GID to). If that single task is too much, stick to the grsec low security option.

    I don’t consider myself a subject matter expert for Hardened kernels, I make sure to ask our actual hardened team if there are any changes to my kernel configs I should make or avoid.

    What I do see is MANY people turning on the Trusted Path Execution features (which aren’t enabled by default in ANY of the grsec preconfigured levels), and getting severely bitten, esp when running binaries outside of the classic /{,usr/{,local/}{s,}bin hierarchy, as often happens with binary installs of MySQL.

  4. Same as Robbat2 I run gentoo hardened with grsecurity enabled on serveral production boxes. I use the defaults for servers preset by the hardened team and I never had any problems at all. I guess the problem is that you rely on cpanel or the undelying distro just doesnt provide a conveniently prepatched kernel. Mind that I’m a mare user unlike Robbat2 who is a dev+infra person @ gentoo.

    killua-sz

  5. Some raid controller didn’t work with it, so client disabled that and went for software raid, which in this particular setup caused serious performance degradation. Brilliant.
    I think most systems have bigger issues than the ones grsecurity fixes.

  6. grsec doesn’t disable any hardware, sounds like they had a bad kernel in the first place.

    Yes, most systems do have other lurking security issues. grsec is just nice in that the memory protections esp help block people trying to execute shellcode. NX bit is a good thing.

  7. Sorry but this “hint” as you call it is more than stupid. Grsecurity is great tool which solve many security problems on todays linux boxes.

    It is run on many and many production servers worldwide.

    Correct hint could be something like “You just don’t want to run any of this on a production server (MySQL or otherwise) if you haven’t advanced linux skill.”

  8. That’s the nice thing about quick scribbles, there’s always space to argue about.
    I absolutely agree, if you know what you’re doing there, it’s fine. But that’s kinda obvious, eh!

Comments are closed.