grsecurity forums

Skip to content

grsecurity seems to ignore subject modes overriding PaX feat

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

grsecurity seems to ignore subject modes overriding PaX feat

Postby osl74 » Mon Jul 28, 2003 9:56 am

Hello,

we play around here building ACLs for ColdFusion. I got log entries regarding "denied load of writable library /dev/zero ..." and so i used 'O'- subject mode for 'cfrdsservice', but the message still remains !
After that, i enabled more PaX- features in kernel, and from now Java- processes were killed by PaX- violations. Giving the subjects all PSMRGX- modes doesn't change the immediate killing at coldfusion- start. So i disabled that corresponding PaX- features for memory protection in kernel, and now there java- processes start easily.
So it seems to me, that grsecurity doesnt honor these subject modes. Is there anything wrong ?
I use: linux 2.4.21-grsec and gradm v1.9.10

Best regards, Sandro Littke.
osl74
 
Posts: 4
Joined: Mon Jul 28, 2003 9:43 am
Top

Re: grsecurity seems to ignore subject modes overriding PaX

Postby PaX Team » Mon Jul 28, 2003 10:13 am

osl74 wrote:After that, i enabled more PaX- features in kernel, and from now Java- processes were killed by PaX- violations. Giving the subjects all PSMRGX- modes doesn't change the immediate killing at coldfusion- start. So i disabled that corresponding PaX- features for memory protection in kernel, and now there java- processes start easily.
So it seems to me, that grsecurity doesnt honor these subject modes. Is there anything wrong ?
take a look at here:http://www.grsecurity.net/gracldoc.htm#PaX_flags_and_caveats and try to not use the GX flags. it seems that grsecurity activates RANDEXEC even if none of PAGEEXEC and SEGMEXEC is active (it's a bug/feature, and is at least inconsistent with how the ELF header flags are interpreted, i guess it will be fixed in the next release).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Postby osl74 » Mon Jul 28, 2003 10:42 am

Thanks for the advise, now java starts. I didnt use the GX- flags actually, just a mistype.
But the problem with "... denied load of writable library /dev/zero by (cfserver:30827) UID(30) EUID(30), parent (cfserver:19684) UID(30) EUID(30) ..." still remains ...

Best regards, Sandro Littke.
osl74
 
Posts: 4
Joined: Mon Jul 28, 2003 9:43 am
Top

Postby PaX Team » Mon Jul 28, 2003 11:02 am

osl74 wrote:But the problem with "... denied load of writable library /dev/zero by (cfserver:30827) UID(30) EUID(30), parent (cfserver:19684) UID(30) EUID(30) ..." still remains ...
you should add the O flag to the cfserver subject instead of/in addition to cfrdsservice.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group