grsecurity forums


https://forums.grsecurity.net/

grsecurity & mysql

https://forums.grsecurity.net/viewtopic.php?f=3&t=17

Page 1 of 1

grsecurity & mysql

PostPosted: Fri Mar 08, 2002 11:42 am
by zex
I was trying latest grsecurity + 2.4.18 kernel + security patch
and mysql wont start.
This is what i have in my logs from mysql.

020308 15:28:01 mysqld started
020308 15:28:04 Can't create interrupt-thread (error 11, errno: 4)
020308 15:28:04 mysqld ended
020308 15:28:04 mysqld ended

PostPosted: Fri Mar 08, 2002 12:14 pm
by wschlich
no problems here, mysqld 3.23.44 + kernel 2.4.18-grsec-1.9.4 + secfix + acl system enabled

More information needed

PostPosted: Fri Mar 08, 2002 2:14 pm
by michaeld
What messages show up in your system logs when this occurs?
Also, what is your ACL setup?

Michael

mysql

PostPosted: Fri Mar 08, 2002 6:45 pm
by spender
mysql also works fine for me..

PostPosted: Fri Mar 22, 2002 7:56 am
by jjcool
i have the same problem as ZEX (with the latest grsecurity and 2.4.18 kernel and security patch)

mysqld.log

020322 12:51:09 mysqld started
020322 12:51:10 Can't create interrupt-thread (error 11, errno: 4)
020322 12:51:10 mysqld ended

messages logfile

localhost kernel: grsec: Attempted loading of shellcode via mmap by (mysqld:10893) UID(100) EUID(100), parent (mysqld:12015) UID(100) EUID(100)
localhost kernel: grsec: more attempted mmaps, logging disabled for 30 seconds

i hope someone can solve this problem.

hmm

PostPosted: Fri Mar 22, 2002 8:31 am
by spender
disable the mmap restrictions in the buffer overflow protection section. I'll have to rethink how I do that option so it doesn't break any applications.

as help..

PostPosted: Fri Mar 22, 2002 9:15 am
by spender
if you could strace mysql for me and just give me the last line where it does the mmap() it would be useful for writing a new version of the mmap restrictions.

alternatively

PostPosted: Fri Mar 22, 2002 9:16 am
by spender
just thought that alternatively, you could disable pax on just that binary. Perhaps adding another filesystem flag for this feature might be necessary.

ok

PostPosted: Fri Mar 22, 2002 6:22 pm
by spender
ok we have a fix for your problem that will be in grsecurity 1.9.5. I'm going to start doing developer releases (really just consider them stable releases in shorter time periods, since I run them successfully on my own system) so when that's done, you can just download that. If you'd like to fix it now, do the following:

in /usr/src/linux/mm/mmap.c

find the line:

#ifdef CONFIG_GRKERNSEC_MMAPFIXED

the second and 3rd lines after that should be removed. one is a security alert and the other is an error return. Replace those two lines with the following:

prot &= ~PROT_EXEC;
vm_flags &= ~VM_MAYEXEC;

PostPosted: Mon Mar 25, 2002 9:10 am
by jjcool
Thank you very much for the great and fast support after the change my problem is solved.
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/