grsecurity & mysql

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

grsecurity & mysql

Postby zex » Fri Mar 08, 2002 11:42 am

I was trying latest grsecurity + 2.4.18 kernel + security patch
and mysql wont start.
This is what i have in my logs from mysql.

020308 15:28:01 mysqld started
020308 15:28:04 Can't create interrupt-thread (error 11, errno: 4)
020308 15:28:04 mysqld ended
020308 15:28:04 mysqld ended
zex
 
Posts: 2
Joined: Thu Mar 07, 2002 3:03 pm

Postby wschlich » Fri Mar 08, 2002 12:14 pm

no problems here, mysqld 3.23.44 + kernel 2.4.18-grsec-1.9.4 + secfix + acl system enabled
wschlich
 
Posts: 17
Joined: Sun Mar 03, 2002 8:25 pm

More information needed

Postby michaeld » Fri Mar 08, 2002 2:14 pm

What messages show up in your system logs when this occurs?
Also, what is your ACL setup?

Michael
michaeld
 
Posts: 37
Joined: Mon Feb 25, 2002 12:32 am

mysql

Postby spender » Fri Mar 08, 2002 6:45 pm

mysql also works fine for me..
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby jjcool » Fri Mar 22, 2002 7:56 am

i have the same problem as ZEX (with the latest grsecurity and 2.4.18 kernel and security patch)

mysqld.log

020322 12:51:09 mysqld started
020322 12:51:10 Can't create interrupt-thread (error 11, errno: 4)
020322 12:51:10 mysqld ended

messages logfile

localhost kernel: grsec: Attempted loading of shellcode via mmap by (mysqld:10893) UID(100) EUID(100), parent (mysqld:12015) UID(100) EUID(100)
localhost kernel: grsec: more attempted mmaps, logging disabled for 30 seconds

i hope someone can solve this problem.
jjcool
 
Posts: 4
Joined: Fri Mar 22, 2002 7:44 am

hmm

Postby spender » Fri Mar 22, 2002 8:31 am

disable the mmap restrictions in the buffer overflow protection section. I'll have to rethink how I do that option so it doesn't break any applications.
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

as help..

Postby spender » Fri Mar 22, 2002 9:15 am

if you could strace mysql for me and just give me the last line where it does the mmap() it would be useful for writing a new version of the mmap restrictions.
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

alternatively

Postby spender » Fri Mar 22, 2002 9:16 am

just thought that alternatively, you could disable pax on just that binary. Perhaps adding another filesystem flag for this feature might be necessary.
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

ok

Postby spender » Fri Mar 22, 2002 6:22 pm

ok we have a fix for your problem that will be in grsecurity 1.9.5. I'm going to start doing developer releases (really just consider them stable releases in shorter time periods, since I run them successfully on my own system) so when that's done, you can just download that. If you'd like to fix it now, do the following:

in /usr/src/linux/mm/mmap.c

find the line:

#ifdef CONFIG_GRKERNSEC_MMAPFIXED

the second and 3rd lines after that should be removed. one is a security alert and the other is an error return. Replace those two lines with the following:

prot &= ~PROT_EXEC;
vm_flags &= ~VM_MAYEXEC;
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby jjcool » Mon Mar 25, 2002 9:10 am

Thank you very much for the great and fast support after the change my problem is solved.
jjcool
 
Posts: 4
Joined: Fri Mar 22, 2002 7:44 am


Return to grsecurity support