grsecurity forums

Skip to content

-bash: /sbin/gradm: No such file or directory

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

-bash: /sbin/gradm: No such file or directory

Postby sh4d0w » Wed Mar 03, 2004 9:35 am

Hi for somereason evertime i start gradm it locks me out completely
can anyone tell why this is happening here is my acl it' s stipped down to almost nothing.

/ {
/ hrwx
/dev hrx
/opt hrx
/home hrwx
/mnt hrx
/dev/urandom hr
/dev/random hr
/dev/zero hrw
/dev/input hrw
/dev/psaux hrx
/dev/tty? hrw
/dev/console hrw
/dev/tty hrw
/dev/ttyp? hrw
/dev/pts hrw
/dev/ptmx hrw
/dev/dsp hrw
/dev/mixer hrw
/dev/fd0 hr
/dev/cdrom hr
/dev/mem h
/dev/kmem h
/dev/port h
/bin hrx
/sbin hrx
/lib hrx
/usr hrx
/etc hrx
/etc/ssh hrx
/proc hrx
/proc/kcore h
/proc/sys hr
/root hr
/tmp hrw
/var hrx
/var/tmp rw
/var/log hr
/boot h
/etc/grsec hrx
/usr/sbin hrx
/usr/local hrx
/usr/local/sbin hrx
/usr/local/bin hrx
/etc/passwd hrx
/var/run hrx
/var/lib hrx
/etc/shadow hrx
/dev/log hrx
/sbin/shutdown hr
/sbin/reboot hr
/usr/bin hr
/usr/bin/reboot hr
/usr/sbin/sshd hr
/usr/bin/ssh hr
/root/gradm hrx
/usr/bin/skill h
/usr/bin/pkill h

-CAP_SYS_TTY_CONFIG
-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_MKNOD
-CAP_SYS_ADMIN
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
-CAP_SYS_PTRACE
-CAP_NET_ADMIN
-CAP_NET_BIND_SERVICE
-CAP_SYS_CHROOT
Thank you
sh4d0w
 
Posts: 8
Joined: Tue Mar 02, 2004 4:57 am
Top

Postby spender » Wed Mar 03, 2004 11:00 am

You have "h" on every object, even if you want to allow reading and executing. Have you read the documentation?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Yes I have

Postby sh4d0w » Thu Mar 04, 2004 1:11 am

Yes i've read the doc's diligently it's a little confusing for me i apologize i did not know that h makes'it un readable/executable. I thought it only hid it in the process list. Thanx alot
sh4d0w
 
Posts: 8
Joined: Tue Mar 02, 2004 4:57 am
Top

Postby sh4d0w » Thu Mar 04, 2004 3:51 am

How come then when i have...

/usr/bin/kill h
/bin/kill h
/bin/cat h
/bin/vi h
and when i run gradm -E i can still kill processes with kill
ei: kill -9 2334 although killall cat and vi do not work.
sh4d0w
 
Posts: 8
Joined: Tue Mar 02, 2004 4:57 am
Top

Postby PaX Team » Thu Mar 04, 2004 10:44 am

sh4d0w wrote:and when i run gradm -E i can still kill processes with kill
ei: kill -9 2334 although killall cat and vi do not work.
i don't know about other shells but bash has builtin commands, such as kill (see the manpage). try to execute \kill with your ACLs and see it fail.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Postby spender » Fri Mar 05, 2004 12:04 pm

regardless, the correct solution to prevent certain processes from being killed is to add to the subject mode of that process the "p" flag. otherwise someone can bypass your /usr/bin/kill h rules and write their own app that does the same thing.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group