RBAC looses roles after software update

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

RBAC looses roles after software update

Postby voron » Thu Apr 17, 2008 7:49 am

Hello
I have strange problem. RBAC looses roles for already runnning binaries, which were updated without restart.For example vsftpd, running from 07 Apr
Code: Select all
# ps uax|grep vsftpd
root      8301  0.0  0.0   3520   852 ?        Ss   Apr07   0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
I updated vsftpd 12 Apr
Code: Select all
# genlop vsftpd|tail -2
     Sat Apr 12 23:42:03 2008 >>> net-ftp/vsftpd-2.0.6
I reloaded RBAC and tried to connect
Code: Select all
 ftp 192.168.78.1
Connected to 192.168.78.1 (192.168.78.1).
500 OOPS: failed to open vsftpd log file:/var/log/vsftpd.log
ftp> quit
vsftpd begins to waste CPU and I see in dmesg
Code: Select all
[894314.417005] grsec: From 192.168.78.2: (root:U:/) denied access to hidden file /var/log by /usr/sbin/vsftpd[vsftpd:22613] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/vsftpd[vsftpd:8301] uid/euid:0/0 gid/egid:0/0
[894314.418165] grsec: (root:U:/) denied bind() to 0.0.0.0 port 21 sock type stream protocol tcp by /usr/sbin/vsftpd[vsftpd:8301] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[894314.418326] grsec: (root:U:/) denied bind() to 0.0.0.0 port 21 sock type stream protocol tcp by /usr/sbin/vsftpd[vsftpd:8301] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[894314.418424] grsec: (root:U:/) denied bind() to 0.0.0.0 port 21 sock type stream protocol tcp by /usr/sbin/vsftpd[vsftpd:8301] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[894314.418562] grsec: (root:U:/) denied bind() to 0.0.0.0 port 21 sock type stream protocol tcp by /usr/sbin/vsftpd[vsftpd:8301] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[894314.418655] grsec: more alerts, logging disabled for 10 seconds
and in strace -rp 8301
Code: Select all
     0.000037 accept(3, 0xb207c794, [28]) = -1 EPERM (Operation not permitted)
     0.000037 rt_sigprocmask(SIG_BLOCK, [CHLD], NULL, 8) = 0
     0.000035 rt_sigprocmask(SIG_BLOCK, [HUP], NULL, 8) = 0
     0.000034 rt_sigprocmask(SIG_UNBLOCK, [CHLD], NULL, 8) = 0
     0.000035 rt_sigprocmask(SIG_UNBLOCK, [HUP], NULL, 8) = 0
     0.000036 accept(3, 0xb207c794, [28]) = -1 EPERM (Operation not permitted)
     0.000037 rt_sigprocmask(SIG_BLOCK, [CHLD], NULL, 8) = 0
     0.000035 rt_sigprocmask(SIG_BLOCK, [HUP], NULL, 8) = 0
     0.000034 rt_sigprocmask(SIG_UNBLOCK, [CHLD], NULL, 8) = 0
     0.000034 rt_sigprocmask(SIG_UNBLOCK, [HUP], NULL, 8) = 0
     0.000037 accept(3, 0xb207c794, [28]) = -1 EPERM (Operation not permitted)

I restarted vsftpd
Code: Select all
voron grsec # /etc/init.d/vsftpd restart
 * Stopping vsftpd ...                                 [ ok ]
 * Starting vsftpd ...                                 [ ok ]
voron grsec # ps uax|grep vsftpd
root     23009  0.0  0.0   3560   844 ?        Ss   12:18   0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
root     23027  0.0  0.0   2052   708 pts/10   R+   12:18   0:00 grep --colour=auto vsftpd
and now able to connect
Code: Select all
ftp 192.168.78.1
Connected to 192.168.78.1 (192.168.78.1).
220 (vsFTPd 2.0.6)
Name (192.168.78.1:voron):
530 Please login with USER and PASS.
SSL not available
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit   
I got same problem with updated but not restarted sshd
Code: Select all
[893745.130755] grsec: (root:U:/) denied bind() to 0.0.0.0 port 22 sock type stream protocol tcp by /usr/sbin/sshd[sshd:8053] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[893745.131023] grsec: (root:U:/) denied bind() to 0.0.0.0 port 22 sock type stream protocol tcp by /usr/sbin/sshd[sshd:8053] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Of course I have subjects for sshd and vsftpd and they are working - simplу restart of service fixes problem. Maybe someone can explain this? I had another problems with vsftpd before RBAC reload, like these: last RBAC load (note - before vsftpd update, what happends when RBAC loaded after vsftpd update, I showed before in this post)
Code: Select all
 Apr 12 00:08:26 voron [419599.901054] grsec: From 92.49.242.4: (root:U:/sbin/gradm) grsecurity 2.1.11 RBAC system loaded by /sbin/gradm[gradm:31255] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:6550] uid/euid:0/0 gid/egid:0/0
and vsftpd errors
Code: Select all
[grsec: From 192.168.78.2: (voron:U:/) denied bind() to 192.168.78.1 port 56827 sock type stream protocol tcp by /usr/sbin/vsftpd[vsftpd:9592] uid/euid:1000/1000 gid/egid:100/100, parent /usr/sbin/vsftpd [vsftpd:9349]uid/euid:65534/65534 gid/egid:65534/65534
voron
 
Posts: 22
Joined: Mon May 29, 2006 8:54 am

Return to grsecurity support