Hello!
I am having some issues with grsec and MySQL.
Here is what happens when I try to create a database:
# mysqladmin -p create tester
Enter password:
mysqladmin: CREATE DATABASE failed; error: 'Can't create database 'tester'. (errno: 13)'
The console log reports:
grsec: attempt to mkdir ./tester by (mysqld:11655) UID(27) EUID(27). parent (mysqld:8161) UID(27) EUID(27)
I have tried several different ACL configurations. Here is the one I am currently testing with:
/usr/local/mysql/bin/mysqld {
/ r
/usr rwx
/usr/local/mysql rwx
}
/usr/local/mysql/bin/mysqladmin {
/ r
/usr rwx
/usr/local/mysql rwx
}
I've tried learning mode with no success. Any help would be greatly appreciated!
Thanks
-Michael
grsec ACL problems
12 posts
• Page 1 of 1
grsec ACL problems
by ether » Thu Jan 09, 2003 3:33 pm
- ether
- Posts: 14
- Joined: Wed Jan 08, 2003 7:52 pm
by ether » Fri Jan 10, 2003 3:36 pm
Even when grsec was in learning mode for the various MySQL binaries, I would still receive the same errors as described in my first post:
mysqladmin: CREATE DATABASE failed; error: 'Can't create database 'tester'. (errno: 13)'
mysqladmin: CREATE DATABASE failed; error: 'Can't create database 'tester'. (errno: 13)'
- ether
- Posts: 14
- Joined: Wed Jan 08, 2003 7:52 pm
re:
by ether » Fri Jan 10, 2003 6:54 pm
The databases are located in /usr/local/mysql/var/
Here are the ACLs (Same ACLs apply for mysql and mysqladmin):
/usr/local/mysql/bin/mysqld lo {
/ h
-CAP_ALL
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0
connect {
disabled
}
bind {
disabled
}
}
Here are the LEARN logs from /var/log/messages:
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669660:/lib/ld-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669660:/lib/ld-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669660:/lib/ld-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1540250:/usr/local/mysql/lib/mysql/libmysqlclient.so.10.0.0:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1540250:/usr/local/mysql/lib/mysql/libmysqlclient.so.10.0.0:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1540250:/usr/local/mysql/lib/mysql/libmysqlclient.so.10.0.0:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1540250:/usr/local/mysql/lib/mysql/libmysqlclient.so.10.0.0:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:8
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:622413:/usr/lib/libz.so.1.1.4:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:622413:/usr/lib/libz.so.1.1.4:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:622413:/usr/lib/libz.so.1.1.4:1Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:622413:/usr/lib/libz.so.1.1.4:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669664:/lib/libcrypt-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669664:/lib/libcrypt-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669664:/lib/libcrypt-2.2.5.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669664:/lib/libcrypt-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669671:/lib/libnsl-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669671:/lib/libnsl-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669671:/lib/libnsl-2.2.5.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669671:/lib/libnsl-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669669:/lib/libm-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669669:/lib/libm-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669669:/lib/libm-2.2.5.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669669:/lib/libm-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669663:/lib/libc-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669663:/lib/libc-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669663:/lib/libc-2.2.5.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669663:/lib/libc-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080312:/etc/nsswitch.conf:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080312:/etc/nsswitch.conf:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:8
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669673:/lib/libnss_db-2.2.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669673:/lib/libnss_db-2.2.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669673:/lib/libnss_db-2.2.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669673:/lib/libnss_db-2.2.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669675:/lib/libnss_files-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669675:/lib/libnss_files-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669675:/lib/libnss_files-2.2.5.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669675:/lib/libnss_files-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669665:/lib/libdb-3.1.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669665:/lib/libdb-3.1.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669665:/lib/libdb-3.1.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080315:/etc/services:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080315:/etc/services:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:25576:25576::3
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080326:/etc/my.cnf:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080326:/etc/my.cnf:1
Jan 10 17:54:30 ethericmist kernel: grsec: From 192.168.0.6: LEARN:2052:427217:0:0::1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:392833:/dev:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:393060:/dev/tty:5
Jan 10 17:54:31 ethericmist kernel: grsec: LEARN:2052:427217:2052:949682:/tmp/mysql.sock:16
Jan 10 17:54:31 ethericmist kernel: grsec: LEARN:2052:427217:2052:949682:/tmp/mysql.sock:5
Jan 10 17:54:31 ethericmist kernel: grsec: LEARN:2052:427217:2052:2194964:/usr/local/mysql/share/mysql/charsets/Index:16
Jan 10 17:54:31 ethericmist kernel: grsec: LEARN:2052:427217:2052:2194964:/usr/local/mysql/share/mysql/charsets/Index:1
Thanks!
-Michael
Here are the ACLs (Same ACLs apply for mysql and mysqladmin):
/usr/local/mysql/bin/mysqld lo {
/ h
-CAP_ALL
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0
connect {
disabled
}
bind {
disabled
}
}
Here are the LEARN logs from /var/log/messages:
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669660:/lib/ld-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669660:/lib/ld-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669660:/lib/ld-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1540250:/usr/local/mysql/lib/mysql/libmysqlclient.so.10.0.0:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1540250:/usr/local/mysql/lib/mysql/libmysqlclient.so.10.0.0:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1540250:/usr/local/mysql/lib/mysql/libmysqlclient.so.10.0.0:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1540250:/usr/local/mysql/lib/mysql/libmysqlclient.so.10.0.0:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:8
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:622413:/usr/lib/libz.so.1.1.4:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:622413:/usr/lib/libz.so.1.1.4:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:622413:/usr/lib/libz.so.1.1.4:1Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:622413:/usr/lib/libz.so.1.1.4:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669664:/lib/libcrypt-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669664:/lib/libcrypt-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669664:/lib/libcrypt-2.2.5.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669664:/lib/libcrypt-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669671:/lib/libnsl-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669671:/lib/libnsl-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669671:/lib/libnsl-2.2.5.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669671:/lib/libnsl-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669669:/lib/libm-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669669:/lib/libm-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669669:/lib/libm-2.2.5.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669669:/lib/libm-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669663:/lib/libc-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669663:/lib/libc-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669663:/lib/libc-2.2.5.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669663:/lib/libc-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080312:/etc/nsswitch.conf:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080312:/etc/nsswitch.conf:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:8
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669673:/lib/libnss_db-2.2.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669673:/lib/libnss_db-2.2.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669673:/lib/libnss_db-2.2.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669673:/lib/libnss_db-2.2.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669675:/lib/libnss_files-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669675:/lib/libnss_files-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669675:/lib/libnss_files-2.2.5.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669675:/lib/libnss_files-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669665:/lib/libdb-3.1.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669665:/lib/libdb-3.1.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669665:/lib/libdb-3.1.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080315:/etc/services:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080315:/etc/services:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:25576:25576::3
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080326:/etc/my.cnf:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080326:/etc/my.cnf:1
Jan 10 17:54:30 ethericmist kernel: grsec: From 192.168.0.6: LEARN:2052:427217:0:0::1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:392833:/dev:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:393060:/dev/tty:5
Jan 10 17:54:31 ethericmist kernel: grsec: LEARN:2052:427217:2052:949682:/tmp/mysql.sock:16
Jan 10 17:54:31 ethericmist kernel: grsec: LEARN:2052:427217:2052:949682:/tmp/mysql.sock:5
Jan 10 17:54:31 ethericmist kernel: grsec: LEARN:2052:427217:2052:2194964:/usr/local/mysql/share/mysql/charsets/Index:16
Jan 10 17:54:31 ethericmist kernel: grsec: LEARN:2052:427217:2052:2194964:/usr/local/mysql/share/mysql/charsets/Index:1
Thanks!
-Michael
- ether
- Posts: 14
- Joined: Wed Jan 08, 2003 7:52 pm
by spender » Sat Jan 11, 2003 5:21 pm
you can't be using 1.9.8 stable, because you wouldn't have
Jan 10 17:54:30 ethericmist kernel: grsec: From 192.168.0.6: LEARN:2052:427217:0:0::1
in your logs. This was fixed some time before the final release of 1.9.8. Check your kernel to make sure. You may want to take a clean kernel and repatch it with the 1.9.8 stable release. You don't have anything else patched in as well do you?
-Brad
Jan 10 17:54:30 ethericmist kernel: grsec: From 192.168.0.6: LEARN:2052:427217:0:0::1
in your logs. This was fixed some time before the final release of 1.9.8. Check your kernel to make sure. You may want to take a clean kernel and repatch it with the 1.9.8 stable release. You don't have anything else patched in as well do you?
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
by ether » Sun Jan 12, 2003 5:47 pm
I redownloaded the grsec-1.9.8 stable patch and patched a fresh kernel source. The only other patches I applied are the new (01-07-2003) netfilter patch-o-matic patches. I rebooted to the new kernel and tested things out again. I am still having the same problems as I listed earlier.
- ether
- Posts: 14
- Joined: Wed Jan 08, 2003 7:52 pm
12 posts
• Page 1 of 1