#!/bin/bash CFGFILE="/etc/grsec.conf" PROCPATH="/proc/sys/kernel/grsecurity/" CTLFLAG="grsec_lock" if [ `id -u` != 0 ]; then echo "ERROR:" echo "You must be root to set grsec vars!" exit 1 fi if [ ! -d $PROCPATH ]; then echo "ERROR:" echo "It seems that grsecurity sysctl option isn't enabled" exit 1 fi if [ "e$1" = "e" ]; then echo "ERROR:" echo "Please call me: $0 [start|init]" exit 1 fi if [ "`cat ${PROCPATH}/${CTLFLAG}`" = "1" -a "$1" = "start" ]; then echo "ERROR:" echo "Sorry: $CTLFLAG is set to 1. Changes not possible!" exit 1 fi if [ "$1" = "init" ]; then if [ -e $CFGFILE ]; then echo -n "Are you sure to overwrite current config-file: $CFGFILE? [y|n] " read input if [ "$input" = "y" ]; then echo "Creating backup of old file -> ${CFGFILE}_`date +'%d%m%y%k%M%S'`" cp $CFGFILE ${CFGFILE}_`date +"%d%m%y%k%M%S"` else exit fi fi echo "Creating new config file: ${CFGFILE}" echo "# CFGFILE for GrSecurity - Kernel 2.4 Security Enhancement" > $CFGFILE echo " " >> $CFGFILE echo "# This entry must be set to enable(1) to work" >> $CFGFILE echo "${CTLFLAG}=0" >> $CFGFILE echo " " >> $CFGFILE echo "# These are the available option 1=enable, 0=disable" >> $CFGFILE for entry in `find $PROCPATH ! -type d` do Ename=`basename $entry` if [ "$Ename" != "grsec_lock" ]; then echo "`basename $entry`=0" >> $CFGFILE fi done fi if [ "$1" = "stop" ]; then echo "Sorry there is no stop possible." echo "After set $CTLFLAG all options are readonly." echo "Change settings in config-file and reboot!" fi if [ "$1" = "start" ]; then for entry in `find $PROCPATH ! -type d` do Ename=`basename $entry` if [ $Ename != "$CTLFLAG" ]; then Evalue=`grep -v "#" $CFGFILE | grep "${Ename}=" | cut -d= -f2` if [ $Evalue = 0 ]; then echo -n "Disabling $Ename: " echo 0 > ${PROCPATH}/$Ename if [ $? = 0 ]; then echo "ok" else echo "error" fi elif [ $Evalue = 1 ]; then echo -n "Enabling $Ename: " echo 1 > ${PROCPATH}/$Ename if [ $? = 0 ]; then echo "ok" else echo "error" fi else echo "Unknown option for $Ename" fi else Enable=`grep -v "#" $CFGFILE | grep "${Ename}=" | cut -d= -f2` fi done echo " " if [ "$Enable" = "1" ]; then echo -n "Enabling GrSecurity: " echo 1 > ${PROCPATH}/${CTLFLAG} if [ $? = 0 ]; then echo "ok" else echo "error" fi else echo "Please set $CTLFLAG to 1 to enable" fi fi