# Radvd on Hardened

## Herring42

Hi,

I've a hardened server that I'm running radvd on. I get the following filling up the logs:

```
Apr 14 16:47:40 beth radvd[7791]: can't open /proc/net/igmp6: No such file or directory

Apr 14 16:47:40 beth radvd[7791]: problem checking all-routers membership on eth0

```

Running radvd as root stops them, but it would appear that /proc/net/igmp6 can't be read unless you are root.

```
root> ls -l /proc/net/igmp6

-r--r--r-- 1 root wheel 0 Apr 14 17:08 /proc/net/igmp6

```

How do I enable access from another user (specifically radvd!)?

----------

## Sadako

Presuming you're not using the grsec RBAC (via gradm), then this depends on your hardened kernel options.

Could you post the output of `grep GRKERNSEC` on your kernel config?

----------

## pigeon768

Presumably it's related to one of the following: 

```
pigeon@morale ~ $ zgrep GRKERNSEC_PROC /proc/config.gz 

gzip: /proc/config.gz: Permission denied

pigeon@morale ~ $ fuck

-bash: fuck: command not found

pigeon@morale ~ $ sudo zgrep GRKERNSEC_PROC /proc/config.gz 

CONFIG_GRKERNSEC_PROC_MEMMAP=y

CONFIG_GRKERNSEC_PROC=y

CONFIG_GRKERNSEC_PROC_USER=y

CONFIG_GRKERNSEC_PROC_USERGROUP=y

CONFIG_GRKERNSEC_PROC_GID=10

CONFIG_GRKERNSEC_PROC_ADD=y

CONFIG_GRKERNSEC_PROC_IPADDR=y

pigeon@morale ~ $ 
```

----------

## Herring42

I'm guessing that's it.

So I need to add the radvd user to wheel? Is there a finer grained approach I should be using?

----------

## Herring42

Adding radvd to wheel didn't help  :Sad: 

----------

## Sadako

 *Herring42 wrote:*   

> Adding radvd to wheel didn't help 

 That's because there is no default GID for this setting, so yours is most likely different than pigeon768's, who has set it to the same GID as the wheel group.

I find it best to create a new 'proc' group, set that as the GID in CONFIG_GRKERNSEC_PROC_GID, and then add any users who needs it to that group.

But like I said, it depends on your kernel config...

----------

## Herring42

```
grep GRKERNSEC_PROC .config

CONFIG_GRKERNSEC_PROC_MEMMAP=y

CONFIG_GRKERNSEC_PROC=y

CONFIG_GRKERNSEC_PROC_USER=y

CONFIG_GRKERNSEC_PROC_USERGROUP=y

CONFIG_GRKERNSEC_PROC_GID=10

CONFIG_GRKERNSEC_PROC_ADD=y

CONFIG_GRKERNSEC_PROC_IPADDR=y

```

Nope, it was the same, but I take your point about a new group. I'll try that next.

----------

