Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 21 Jun 2020 14:58:34 +0200
From: Solar Designer <solar@...nwall.com>
To: lkrg-users@...ts.openwall.com
Subject: Re: The lkrg.service for systemd

On Sun, Jun 21, 2020 at 11:07:10AM +0200, Mikhail Morfikov wrote:
> On 20/06/2020 23:39, Solar Designer wrote:
> > On Fri, Jun 05, 2020 at 05:36:49PM +0200, Mikhail Morfikov wrote:
> >> You provide the lkrg.service file for systemd. It basically loads/unloads the 
> >> LKRG module and currently has the following boot dependencies:
> >>
> >>     After=basic.target
> >>     Before=network.target
> > 
> > As I recall, part of the rationale here was to load LKRG before a
> > potential attacker could connect over network.  
> 
> In such case, you should use network-pre.target instead of just network.target.
> See here[1] for detailed explanation. 
> 
> [1]: https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/

Thank you!  Looks like our choice of simply network.target is a bug as
it does not fully meet the rationale.

There's yet another issue, though: LKRG may take a little while to
initialize before it's fully monitoring for attacks and enforcing its
configured policies, yet the boot process may concurrently proceed
further and e.g. start crond and an exploit from there.

Do you have suggestions on how to make system boot process wait before
advancing to a phase where user code may run until LKRG is ready?

> Sysctl also has its /etc/sysctl.d/ dir, in which you can place a file like 
> 99-lkrg.conf, and add all the sysctl options (commented out and maybe with 
> some description for easier config). This is also systemd specific option 
> and it has the following deps:
> 
>   After=systemd-modules-load.service
>   Before=sysinit.target

As discussed on this mailing list before you joined, setting LKRG
sysctl's from /etc/sysctl.conf or /etc/sysctl.d didn't work because
these were processed before LKRG is loaded.  With your suggested
alternative below, this should become possible.

> So to sum up, I think the following set of file would be needed:
> 
> /etc/modules-load.d/99-lkrg.conf  # to load the LKRG module
> /etc/modprobe.d/lkrg.conf         # to set module options
> /etc/sysctl.d/99-lkrg.conf        # to change LKRG config via sysctl -p
> 
> As you can see, if you want to support systemd init, you don't have to make
> another service file, just use the three files above, and systemd will take 
> care of dependencies and other stuff needed to load kernel modules.

This sounds right.

What would you suggest we put into the documentation for those wanting
to use other init systems?  Our current draft documentation (not yet
committed) for the upcoming 0.8 release contains this:

---
Installation
------------

If your Linux distribution uses systemd, you can install LKRG with:

        sudo make install

while you're still in its top level source code directory.

Run the following command to start the LKRG service just like it would be
started on next system bootup:

        sudo systemctl start lkrg

You can uninstall LKRG using "make" as well (still in the same directory):

        sudo make uninstall

In fact, you would need to do this before installing a new version of LKRG.

You can also use the following command to temporarily stop the LKRG service
without uninstalling it:

        sudo systemctl stop lkrg

We don't in any way favor systemd over other init systems, and would gladly add
support for those as well if there's demand or especially if we receive such
contributions.  Meanwhile, on a system without systemd you can let "sudo make
install" partially complete (up to the point where it finds you're not using
systemd) and then use:

        sudo modprobe p_lkrg

to load the module.  You can also put the "modprobe p_lkrg" command into a
system startup script.
---

With the 0.8 release being (hopefully) just around the corner, I think
switching to /etc/modules-load.d/99-lkrg.conf is too invasive a change
right now, but perhaps we can change the Before/After lines for now and
plan on making further changes for 0.9.

> I would suggest something like:
> 
>   After=systemd-modules-load.service  # to make sure all other modules are loaded
>   Before=sysinit.target               # to load LKRG as fast a possible

Can you please test this suggestion of yours and confirm that it works?

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.