From: Kerin Millar grsecurity contains a number of options which allow certain protections to be applied to or exempted from members of a given group. However, the default GIDs specified in the upstream patch are entirely arbitrary and there is no telling which (if any) groups the GIDs will correlate with on an end-user's system. Because some users don't pay a great deal of attention to the finer points of kernel configuration, it is probably wise to specify some reasonable defaults so as to stop careless users from shooting themselves in the foot. --- a/grsecurity/Kconfig +++ b/grsecurity/Kconfig @@ -404,7 +404,7 @@ config GRKERNSEC_PROC_GID int "GID for special group" depends on GRKERNSEC_PROC_USERGROUP - default 1001 + default 10 config GRKERNSEC_PROC_ADD bool "Additional restrictions" @@ -613,7 +613,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" depends on GRKERNSEC_AUDIT_GROUP - default 1007 + default 100 config GRKERNSEC_EXECLOG bool "Exec logging" @@ -799,7 +799,7 @@ config GRKERNSEC_TPE_GID int "GID for untrusted users" depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT - default 1005 + default 100 help Setting this GID determines what group TPE restrictions will be *enabled* for. If the sysctl option is enabled, a sysctl option @@ -808,7 +808,7 @@ config GRKERNSEC_TPE_GID int "GID for trusted users" depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT - default 1005 + default 10 help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option @@ -879,7 +879,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL - default 1004 + default 65534 help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID @@ -900,7 +900,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT - default 1003 + default 65534 help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to @@ -918,7 +918,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER - default 1002 + default 65534 help Here you can choose the GID to disable server socket access for. Remember to add the users you want server socket access disabled for to