grsecurity forums

Skip to content

java and chroot problem

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

java and chroot problem

Postby lroma » Mon Apr 07, 2003 9:29 am

Hi all!

After installing Redhat latest glibc update(2.3.2-4.80) for RedHat linux 8.0 I'm unable to run my tomcat server in a chrooted jail. The problem is that java do not work anymore chrooted (signal 11...) :(
I've tried with grsec 1.9.8 and 1.9.9f (with the approrpiate versions of chpax.c)

Help me!
Thanks
lele
lroma
 
Posts: 5
Joined: Mon Apr 07, 2003 9:01 am
Top

Postby spender » Mon Apr 07, 2003 11:44 am

Do you see any chroot-related logs from grsecurity? Can you paste the configuration you have for the chroot options?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Postby lroma » Mon Apr 07, 2003 12:32 pm

I've "chpaxed" /chroot/tomcat/java/bin/java with options -msrp and
when I try as root (grsec-1.9.9f and chpax of 2003-04-01):
chroot /chroot/tomcat /java/bin/java
I get this on logs

kernel: grsec: From 172.16.100.14: signal 11 sent to (java:11483) UID(0) EUID(0), parent (bash:11408) UID(0) EUID(0)
kernel: grsec: From 172.16.100.14: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by (java:11483) UID(0) EUID(0), parent (bash:11408) UID(0) EUID(0)

and "Segmentation fault" on my ssh console.

I'm using sysctl and now ALL things in /proc/.../grsecurity related to chroot are set to zero.

Thanks,
lele
lroma
 
Posts: 5
Joined: Mon Apr 07, 2003 9:01 am
Top

strace

Postby lroma » Tue Apr 08, 2003 6:04 am

If it may help, this is the output of:
strace -v chroot /chroot/tomcat /java/bin/java
....
_sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xbfffe4cc, 35, (nil), 0}) = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

lele
lroma
 
Posts: 5
Joined: Mon Apr 07, 2003 9:01 am
Top

Postby spender » Tue Apr 08, 2003 9:02 am

Can you try a clean 2.4.20 kernel? If you disabled all the chroot options via sysctl, there won't be any of grsec's chroot restrictions running. I'm not 100% convinced this is the result of grsecurity, additionally due to there being no logs from grsec. java runs fine when it's not chrooted?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Postby lroma » Tue Apr 08, 2003 9:33 am

Yes!! you convinced me to try another way...
I copied ALL /lib to /chroot/tomcat/lib and now it works!!
I would like to know what is changed between the two version that now are required other libs... (I will inquire,any suggestion?)
Sorry for the waste of your time :(

Thanks a lot!
lele
lroma
 
Posts: 5
Joined: Mon Apr 07, 2003 9:01 am
Top

Postby spender » Tue Apr 08, 2003 9:37 am

It's always good when setting up a chroot for an app to run ldd on the app to make sure you have all the required libraries. Otherwise you'll run into the problem you had.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group