Strange: no mmap binary as a user, but allowed as a root.

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Strange: no mmap binary as a user, but allowed as a root.

Postby olli » Thu Apr 11, 2002 2:37 pm

Hello.

Seems you 've broken or empty www page describing mailing lists at the grsecurity.net.
At least that seems from the Netscape Communicator 4.78 browser..
I'm experincing problems w/ gpg - it segmentation faults & in log I see that grsecurity
doesn't allow it to run, since it tryes to mmap an executable.I've downloaded chpax & removed all
possible restrictions from the gpg binary. This doesn't help. But running gpg as root does help. When I'm
executing as root I'm finishing OK. Could you comment this? I oftenly use gpg as ordinary user to encrypt my personal data. Since this it appear to be quite ugly situation - I need to reboot to
unprotected kernel each time I need to use gpg or run my MUA that also capable to use gpg as root. :(
Can I do somthing w/ this? I'm running customly configured kernel 2.4.18 with custom security level &
also with international crypto patch (test version for 2.2.18). I've enabled almost everything but network protection within grsecurity options. Could you comment this? :-?
olli
 
Posts: 3
Joined: Thu Apr 11, 2002 2:29 pm

Re: Strange: no mmap binary as a user, but allowed as a root

Postby PaX Team » Fri Apr 12, 2002 4:14 am

olli wrote:I'm experincing problems w/ gpg - it segmentation faults & in log I see that grsecurity
doesn't allow it to run, since it tryes to mmap an executable.I've downloaded chpax & removed all
possible restrictions from the gpg binary. This doesn't help. But running gpg as root does help.


can you post here the exact logs produced by grsecurity/PaX? also if you could strace gpg (only mmap()/mprotect() should suffice) in both situations i'd appreciate it (if too big, just email us).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

hrmm

Postby spender » Fri Apr 12, 2002 4:33 pm

also check to make sure that you weren't running that program as an untrusted group. TPE won't allow you to run programs that mmap other executables....perhaps for 1.9.5 i'll have it do checks on the file they're trying to mmap, and allow it if it would be allowed normally.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Strange: no mmap binary as a user, but allowed as a root

Postby olli » Sat Apr 13, 2002 12:03 pm

[quote="PaX Team"][quote="olli"]
I'm experincing problems w/ gpg - it segmentation faults & in log I see that grsecurity
doesn't allow it to run, since it tryes to mmap an executable.I've downloaded chpax & removed all
possible restrictions from the gpg binary. This doesn't help. But running gpg as root does help.
[/quote]

can you post here the exact logs produced by grsecurity/PaX? also if you could strace gpg (only mmap()/mprotect() should suffice) in both situations i'd appreciate it (if too big, just email us).[/quote]

Apr 13 19:38:25 sky kernel: grsec: exec of [03:0c:157666] (gpg ) by (bash:1238) UID(500) EUID(500), parent (bash:28644) UID(500) EUID(500)
Apr 13 19:38:25 sky kernel: denied exec of gpg by (gpg:1238) UID(500) EUID(500), parent (bash:28644) UID(500) EUID(500) reason: tried to mmap binary
Apr 13 19:38:25 sky kernel: signal 11 sent to (gpg:1238) UID(500) EUID(500), parent (bash:28644) UID(500) EUID(500)

debuggers are not installed by default at my SOHO Linux system. If problem won't solve soon I'll install & post strace output. BTW - It'd be easier for me if you'll show w/
which options I should trace to get only mmap/mprotect related strings..
olli
 
Posts: 3
Joined: Thu Apr 11, 2002 2:29 pm

Re: hrmm

Postby olli » Sat Apr 13, 2002 12:14 pm

[quote="spender"]also check to make sure that you weren't running that program as an untrusted group. TPE won't allow you to run programs that mmap other executables....perhaps for 1.9.5 i'll have it do checks on the file they're trying to mmap, and allow it if it would be allowed normally.
[/quote]
#grep olli /etc/passwd
olli:x:500:10:olli:/home/olli:/bin/bash
/etc 0 jobs root@sky
#grep olli /etc/group
wheel:x:10:root,olli
olli:x:501:

In group specification in kernel I've gid=10 as a special group able to view all processes & so on, also I've this group in a ptrace-ability list. The untrusted/restricted group is 510 (same for both choises) & only other users are members of this group, not me:
strict:x:510:rserg,peter,arina,hugevlad,scabs,binarium,virven
No any other option where I could specify GID is enabled in the kernel.

Any comments?
olli
 
Posts: 3
Joined: Thu Apr 11, 2002 2:29 pm

hrmm

Postby spender » Sat Apr 13, 2002 7:47 pm

disable the "partially restrict all other non-root users" tpe option

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support

cron