cron and grsec(2.0-pre1 and 1.9.9f)

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

cron and grsec(2.0-pre1 and 1.9.9f)

Postby Snipi » Mon Apr 14, 2003 9:02 am

Hi ... i have little problem with cron :-?
all works fine to moment when i patch kernel (2.4.20) with grsec2.0-pre1 (the same problem with 1.9.9f)
all work fine with old kernels and patches: example my old kernel 2.4.20 was patched with grsecurity-1.9.9c.
gradm is Disabled

i can't use cron from root or user level
Debian 3.0
cron ver 3.0pl1-72

/var/log.auth.log show me
---
Apr 14 14:55:01 bitchx cron(pam_unix)[11155]: session opened for user root by (uid=0)
Apr 14 14:55:01 bitchx CRON[11155]: Permission denied
---

my kernel config (the same for 1.9.9.c , 1.9.9f and 2.0-pre1):
---
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CUSTOM=y

CONFIG_GRKERNSEC_PAX_NOEXEC=y
CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
CONFIG_GRKERNSEC_PAX_EMUTRAMP=y

CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=50
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y

CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=50
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y

CONFIG_GRKERNSEC_EXECVE=y

CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y

CONFIG_GRKERNSEC_SYSCTL=y

CONFIG_GRKERNSEC_FLOODTIME=1
CONFIG_GRKERNSEC_FLOODBURST=4
---
rest is not set for Grsecurity
Snipi
 
Posts: 4
Joined: Mon Apr 14, 2003 8:49 am

Postby spender » Mon Apr 14, 2003 9:58 am

can you strace it and find out what it's getting a "permission denied" for?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Snipi » Mon Apr 14, 2003 2:08 pm

sorry i don't know very well strace but maybe this could little help:
strace -ff -o cron /usr/sbin/cron
this will generate file

http://www.bitchx.eu.org/cron.log

and one more file cron.PID

http://www.bitchx.eu.org/cron.18261.log

first have 1870 and second have 6525 bytes so that's the reason why i put this logs on www (don't want to flood here ;)

-Snipi
Snipi
 
Posts: 4
Joined: Mon Apr 14, 2003 8:49 am

Postby spender » Mon Apr 14, 2003 2:13 pm

There are no errors returned from the syscalls. For that reason, I don't believe this is the fault of grsec, though I don't know why it would print that error. You would need to look at the source for cron to determine the problem.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Snipi » Mon Apr 14, 2003 3:35 pm

anyway thanks :wink:

---Snipi---
Snipi
 
Posts: 4
Joined: Mon Apr 14, 2003 8:49 am

Postby PaX Team » Mon Apr 14, 2003 5:21 pm

Snipi wrote:www.bitchx.eu.org/cron.18261.log
better remove this one, it has (part of) the root password hash in it (and change the password)... next, i think the error comes from PAM, check your config (even if you haven't changed it recently, it may have fallen victim to new grsecurity restrictions).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby Snipi » Wed Apr 16, 2003 5:58 pm

Okie dokie...
problem was fixed
i installed new cron (cron_3.0pl1-73) pack. but with that i must install new pam (0.76-9) and glibc6 (2.3.1-16) with other little libs :)

Thanks for help

thanks to PaX team for security info
Snipi
 
Posts: 4
Joined: Mon Apr 14, 2003 8:49 am


Return to grsecurity support

cron