Cannot lock the password file; try again later.

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Postby spender » Wed Apr 23, 2003 9:06 am

Yes, The "?" character matches exactly one character.

As for the possibility of the /etc/shadow.pid thing, it wouldn't be possible because of the way the system is implemented. Plus, it would be incredibly slow. I would recommend using a passwd binary that uses a single /etc/.pwd.lock file.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Murphy » Thu Apr 24, 2003 7:52 pm

miha wrote:"grsec: From 64.202.110.30: denied link of /etc/shadow.2910 to /etc/shadow.lock by (passwd:2910) UID(0) EUID(0), parent (bash:21417) UID(502) EUID(502)"

I had the same thing on slackware-9.0
Passwd creates temp. file /etc/shadow.<PID_OF_PASSWD>
I had to enable rw on /etc for passwd to make things work

Question to Brad - is it possible to make such ACL that will work with passwd in described way? We never know what will be the PID of passwd next time you run it.
Default ACL has this - '/dev/tty?? rw', does it mean /dev/tty<ANY_2_LETTERS/DIGITS_HERE>?

Mikhail.


but it wont let me set /etc rw and that doesnt sound safe at all, especially for this box. It's a server and a lot of people use it. Now I can't even run passwd as root after doing gradm -a. It's denied. I'm really lost at this point.
Murphy
 
Posts: 12
Joined: Thu Apr 17, 2003 2:48 pm

Postby miha » Thu Apr 24, 2003 8:44 pm

Code: Select all
/usr/bin/passwd Xo {
        /var/run/utmp rw
        /etc/login.defs r
        /usr/share/zoneinfo r
        /usr/lib rx
        /usr/lib/cracklib_dict.pwi r
        /usr/lib/cracklib_dict.pwd r
        /usr/lib/cracklib_dict.hwm r
        /proc r
        /lib/security rx
        /lib rx
        /etc/shadow rw
        /etc/passwd rw
        /etc/pam.d r
        /etc/nsswitch.conf r
        /etc/nshadow rw
        /etc/npasswd rw
        /etc/ld.so.preload r
        /etc/ld.so.cache r
        /etc/.pwd.lock w
        /etc rw
        /dev/log rw
        /usr/bin/passwd x
        /etc/grsec h
        / h
        -CAP_ALL
        +CAP_CHOWN
        +CAP_FSETID
        +CAP_SYS_RESOURCE
        +CAP_SETGID
        +CAP_SETUID
        connect {
                disabled
        }
        bind {
                disabled
        }
}


This ACL will work on slackware-9.0.
miha
 
Posts: 28
Joined: Sat Nov 30, 2002 9:09 am

Postby Murphy » Fri Apr 25, 2003 3:18 pm

Thanks a lot. The problem is solved now. :)
Murphy
 
Posts: 12
Joined: Thu Apr 17, 2003 2:48 pm

Postby spender » Fri Apr 25, 2003 8:56 pm

BTW, if you're worried about the /etc rw rule, add a /etc/* h rule after the /etc rw rule. This way they will only be able to create new files in /etc, but not modify anything that is already there (minus the other ones you have specified: /etc/shadow, etc)

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Murphy » Sat Apr 26, 2003 1:11 am

Thanks I did that too. I now have a new problem regarding ftpd. I tried to make my own ACL but it didn't seem to work:

Code: Select all
/usr/sbin/proftpd {
        /var/run/utmp rw
        /var/run/wtmp rw
        /var/log/proftpd.log rw
        /var/run/proftpd rw
        /var/log r
        /proc r
        /etc/login.defs r
        /usr/share/zoneinfo r
        /lib rx
        /usr/lib rx
        /usr/lib/cracklib_dict.pwi r
        /usr/lib/cracklib_dict.pwd r
        /usr/lib/cracklib_dict.hwm r
        /etc rx
        /dev/log rw
        /usr/sbin/proftpd x
        /etc/grsec h
        /
        /etc/proftpd.conf r
        -CAP_ALL
        +CAP_CHOWN
        +CAP_FSETID
        +CAP_SYS_RESOURCE
        +CAP_SETGID
        +CAP_SETUID
        }


Does anyone know what I'm doing wrong here? miha, I was wondering if you had an ACL for proftpd to run under Slackware 9? At first I was receiving more error messages, now the only ones I receive are:

grsec: From 64.202.110.30: attempted socket(2,1,0) by (tcpd:17504) UID(0) EUID(0), parent (inetd:6175) UID(0) EUID(0)

grsec: From 64.202.110.30: attempted socket(2,1,6) by (proftpd:17504) UID(0) EUID(99), parent (inetd:6175) UID(0) EUID(0)

Any help on this issue would be greatly appreciated. Thanks.
Murphy
 
Posts: 12
Joined: Thu Apr 17, 2003 2:48 pm

Postby spender » Sat Apr 26, 2003 12:20 pm

That shouldn't happen. The only time you should get socket denied errors is if you have some IP ACLs set up for that subject. Are you also using the other socket restrictions in grsecurity, the per-GID ones?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Murphy » Sat Apr 26, 2003 4:12 pm

I never setup any IP ACLs, I simply used the "high security" setting in the kernel configuration. The only ACLs I've added are for /usr/bin/passwd and the one above for /usr/sbin/proftpd, which didn't work obviously.[/i]
Murphy
 
Posts: 12
Joined: Thu Apr 17, 2003 2:48 pm

Previous

Return to grsecurity support