I tried to use the latest version (lids-2.2.3rc11-2.6.34.patch) but the kernel will not boot correctly. It cannot mount the root file system as soon as LIDS is started.
Has something fundamental been changed compared to the old version (lids-2.2.3rc10-2.6.33.patch)?
I get a "mount: permission denied" and then a whole text about attempting to remount root device as read-write failed.
For both kernels I use the same LIDS rules set and I copy the old kernel config to the new kernel so they should be the same.
I will copy my rules set here below (notice the -1 recursive permissions. I will change them later when things are working perfectly).
But adding lids=0 to the boot parameters to turn off lids works perfectly and I am able to boot after this so I know the problem is LIDS.
- Code: Select all
#!/bin/sh
LIDSCONF="/sbin/lidsconf"
# Clear all entries
echo -n "Clearing old entries...................................."
$LIDSCONF -Z
$LIDSCONF -Z BOOT
$LIDSCONF -Z POSTBOOT
$LIDSCONF -Z SHUTDOWN
echo "OK"
# Write protect default folders
echo -n "Protect default folders with read-only permissions......"
$LIDSCONF -A -o /etc/lids -j DENY 1>/dev/null 2>/dev/null
$LIDSCONF -A -o /bin -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -o /sbin -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -o /usr/bin -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -o /usr/sbin -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -o /usr/local/bin -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -o /usr/local/sbin -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A POSTBOOT -o /lib -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -o /usr/lib -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -o /usr/local/lib -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -o /usr/libexec -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -o /boot -j READONLY 1>/dev/null 2>/dev/null
echo "OK"
# Setup configuration folders
echo -n "Protect configuration folders..........................."
#$LIDSCONF -A -o /etc -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -o /etc/rc.d -j READONLY 1>/dev/null 2>/dev/null
#$LIDSCONF -A -o /etc/shadow -j READONLY 1>/dev/null 2>/dev/null
#$LIDSCONF -A -o /etc/shadow- -j READONLY 1>/dev/null 2>/dev/null
#$LIDSCONF -A POSTBOOT -o /etc/shadow -j DENY 1>/dev/null 2>/dev/null
#$LIDSCONF -A POSTBOOT -o /etc/shadow- -j DENY 1>/dev/null 2>/dev/null
$LIDSCONF -A -o /etc/lilo.conf -j DENY 1>/dev/null 2>/dev/null
echo "OK"
# Enable system authentication
echo -n "Enable system authentication............................"
$LIDSCONF -A POSTBOOT -s /bin/su -o /etc/shadow -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /bin/su -o CAP_SETUID -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /bin/su -o CAP_SETGID -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A POSTBOOT -s /bin/login -o /etc/shadow -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /bin/login -o CAP_SETUID -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /bin/login -o CAP_SETGID -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /bin/login -o CAP_CHOWN -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /bin/login -o CAP_FSETID -j GRANT 1>/dev/null 2>/dev/null
echo "OK"
# Protect root folder, but allow bash history
echo -n "Protect root folder....................................."
$LIDSCONF -A -o /root -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /bin/bash -o /root/.bash_history -j WRITE 1>/dev/null 2>/dev/null
echo "OK"
# Set boot script permissions
echo -n "Set boot script permissions............................."
$LIDSCONF -A -s /etc/rc.d/rc.M -i -1 -o CAP_SYS_ADMIN -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /etc/rc.d/rc.S -i -1 -o CAP_SYS_ADMIN -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /etc/rc.d/rc.inet1 -i -1 -o CAP_SYS_MODULE -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /etc/rc.d/rc.inet2 -i -1 -o CAP_SYS_MODULE -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /etc/rc.d/rc.modules -i -1 -o CAP_SYS_MODULE -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/rsyslogd -i -1 -o CAP_SYS_MODULE -j GRANT 1>/dev/null 2>/dev/null
echo "OK"
# Set permissions for ssh
echo -n "Set ssh permissions....................................."
$LIDSCONF -A -s /usr/sbin/sshd -o /etc/shadow -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -o /etc/ssh -j DENY 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o /etc/ssh -j READONLY 1>/dev/null 2>/dev/null
#$LIDSCONF -A -s /usr/sbin/sshd -o /var/log/wtmp -j WRITE
#$LIDSCONF -A -s /usr/sbin/sshd -o /var/log/lastlog -j WRITE
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_SETUID -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_SETGID -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_FOWNER -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_CHOWN -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_DAC_OVERRIDE -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_NET_BIND_SERVICE 22-22 -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_SYS_CHROOT -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_SYS_RESOURCE -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_SYS_TTY_CONFIG -j GRANT 1>/dev/null 2>/dev/null
echo "OK"
# HALD
#$LIDSCONF -A -s /usr/libexec/hald-probe-storage -o CAP_SYS_RAWIO -j GRANT
$LIDSCONF -A -s /usr/sbin/hald -o CAP_SYS_RAWIO -i 2 -j GRANT 1>/dev/null 2>/dev/null
# Set permissions for QMail
echo -n "Protect QMail..........................................."
$LIDSCONF -A -o /var/qmail/bin -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -o /var/qmail/supervise -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -o /package/admin/daemontools/command -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /package/admin/daemontools/command/supervise -o /var/qmail/supervise -j WRITE 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/local/bin/multilog -o /var/qmail/supervise -j WRITE 1>/dev/null 2>/dev/null
echo "OK"
# Dovecot
echo -n "Set up rules for dovecot................................"
$LIDSCONF -A -s /usr/sbin/dovecot -o CAP_SETPCAP -j GRANT 1>/dev/null 2>/dev/null
echo "OK"
# Spamassassin
echo -n "Set up rules for spamassassin..........................."
$LIDSCONF -A -s /usr/bin/spamd -o /etc/shadow -i -1 -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/bin/spamc -o /etc/shadow -i -1 -j READONLY 1>/dev/null 2>/dev/null
$LIDSCONF -A -s /package/admin/daemontools/command/supervise -o /etc/shadow -i -1 -j READONLY 1>/dev/null 2>/dev/null
echo "OK"
# Other files and folders
echo -n "Protect remaining folders/apps.........................."
$LIDSCONF -A -s /usr/local/sbin/arno-iptables-firewall -i -1 -o CAP_SYS_MODULE -j GRANT 1>/dev/null 2>/dev/null
$LIDSCONF -A -o /usr/src -j DENY 1>/dev/null 2>/dev/null
echo "OK"
# Compiling LIDS rules
echo -n "Compiling LIDS rules...................................."
$LIDSCONF -C 1>/dev/null 2>/dev/null
echo "OK"
#$LIDSCONF -A -s /var/qmail/supervise/maildrop-logger/maildrop-pipe-watcher -i -1 -o /etc/shadow -j READONLY
#$LIDSCONF -A -s /var/qmail/supervise/qmail-updater/qmail-pipe-watcher -i -1 -o /etc/shadow -j READONLY