Hi.
I have grsecurity running on a slackware 8 machine, and I'm trying to get my ACLs setup. I can enable ACLs just fine, however after that I'm unable to run gradm. According to strace, it's segfaulting on the execve() of /sbin/gradm. I get the following message in syslog:
attempt to mmap 66355 2049 executableby (gradm:8254) UID(0) EUID(0), parent (bash:214) UID(0) EUID(0)
attempt to mmap 66422 2049 executableby (gradm:8254) UID(0) EUID(0), parent (bash:214) UID(0) EUID(0)
However, I can run a copy of gradm I copy to /var.
root@darkstar:/etc/grsec# cp /sbin/gradm /var
root@darkstar:/etc/grsec# /var/gradm -D
Password: shutdown auth success for (gradm:8259) UID(0) EUID(0), parent (bash:214) UID(0) EUID(0)
I have tried it with pax on and off, and with the following in proc.acl:
/sbin/gradm {
/ rwx
/etc/ld.so.cache r
/etc/ld.so.preload r
/lib/libc.so.6 r
/proc/sys/kernel/grsecurity/acl w
}
My file.acl:
/ rwx
/etc r
/etc/rc.d rx
/etc/passwd r
/etc/shadow r
/etc/ld.so.cache rx
/etc/lilo.conf h
/var/log/wtmp rw
/var/log ar
/tmp rw
/etc/grsec hr
/boot r
/lib rx
/usr r
/usr/bin rx
/usr/sbin rx
/usr/lib rx
/usr/local/bin rx
/bin rx
/sbin rx
/dev r
/dev/null rw
/dev/tty rw
/dev/zero rw
Anyone have any ideas?
grsecurity+acls=weird gradm behavior
6 posts
• Page 1 of 1
grsecurity+acls=weird gradm behavior
by zwhite » Wed Apr 24, 2002 11:53 pm
- zwhite
- Posts: 3
- Joined: Wed Apr 24, 2002 11:34 pm
by Technion » Thu Apr 25, 2002 12:26 am
If I'm reading your ACL set right.. your file ACL set hides /etc/grsec.
Wouldn't the process ACL for gradm need to override that?
Just because you have / rwx in the process ACL won't mean it gets around the file ACL.
Try
/etc/grsec wro
To override write-read in the process ACL for gradm.
(Just guessing.. no ACLs here)
Wouldn't the process ACL for gradm need to override that?
Just because you have / rwx in the process ACL won't mean it gets around the file ACL.
Try
/etc/grsec wro
To override write-read in the process ACL for gradm.
(Just guessing.. no ACLs here)
- Technion
- Posts: 15
- Joined: Thu Apr 25, 2002 12:23 am
by zwhite » Thu Apr 25, 2002 1:23 am
Technion wrote:If I'm reading your ACL set right.. your file ACL set hides /etc/grsec.
Wouldn't the process ACL for gradm need to override that?
Just because you have / rwx in the process ACL won't mean it gets around the file ACL.
I don't think so. As near as I can tell, gradm talks to /proc/sys/kernel/grsecurity/acl, and never needs to touch /etc/grsec. Just as a test, I added '/ orwx' to gradm's entry, and got the same behavior. It doesn't seem to be related to file acl's.
- zwhite
- Posts: 3
- Joined: Wed Apr 24, 2002 11:34 pm
Re: grsecurity+acls=weird gradm behavior
by PaX Team » Thu Apr 25, 2002 5:35 am
zwhite wrote:I have grsecurity running on a slackware 8 machine, and I'm trying to get my ACLs setup. I can enable ACLs just fine, however after that I'm unable to run gradm. According to strace, it's segfaulting on the execve() of /sbin/gradm. I get the following message in syslog:
attempt to mmap 66355 2049 executableby (gradm:8254) UID(0) EUID(0), parent (bash:214) UID(0) EUID(0)
attempt to mmap 66422 2049 executableby (gradm:8254) UID(0) EUID(0), parent (bash:214) UID(0) EUID(0)
I have tried it with pax on and off, and with the following in proc.acl:
these messages came from the ACL system, not PaX
and mean that your program ACL was incorrect.zwhite wrote:/sbin/gradm {
/ rwx
/etc/ld.so.cache r
/etc/ld.so.preload r
/lib/libc.so.6 r
/proc/sys/kernel/grsecurity/acl w
}
read http://grsecurity.net/forums/viewtopic.php?t=44 for this problem. basically, your program ACL needs to allow execution access to the program file itself - it is not automatically assumed (at least in 1.9.4).
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
Re: grsecurity+acls=weird gradm behavior
by zwhite » Thu Apr 25, 2002 12:27 pm
PaX Team wrote:these messages came from the ACL system, not PaX ;-) and mean that your program ACL was incorrect.zwhite wrote:/sbin/gradm {
/ rwx
/etc/ld.so.cache r
/etc/ld.so.preload r
/lib/libc.so.6 r
/proc/sys/kernel/grsecurity/acl w
}
read http://grsecurity.net/forums/viewtopic.php?t=44 for this problem. basically, your program ACL needs to allow execution access to the program file itself - it is not automatically assumed (at least in 1.9.4).
Yeah, you're right. For some reason 'gradm -R' isn't reloading my acls. I again removed /sbin/gradm from proc.acl, rebooted, and I'm now able to use gradm. Annoying, and since it's a semi-production machine I can't really go around rebooting it every 5 minutes. This weekend I'll try the latest CVS version, and see if I still have the same problem.
- zwhite
- Posts: 3
- Joined: Wed Apr 24, 2002 11:34 pm
Here is your problem
by michaeld » Fri Apr 26, 2002 3:16 am
For gradm you must give gradm 'rx' access it itself.
This is an odd caveat, and I believe it was addressed in
the current acl documentation. It will not be required for
1.9.5 (it will be added implicity by the new gradm).
So for example
/bin/foo {
/etc/foo.conf r
/lib/foo_lib rxi
/lib/lib.so.6 rxi
/lib/linux.so6 rxi
/bin/foo rx
/etc/ld.so.conf r
}
^--would be a working acl. Hope I helped
Michael
This is an odd caveat, and I believe it was addressed in
the current acl documentation. It will not be required for
1.9.5 (it will be added implicity by the new gradm).
So for example
/bin/foo {
/etc/foo.conf r
/lib/foo_lib rxi
/lib/lib.so.6 rxi
/lib/linux.so6 rxi
/bin/foo rx
/etc/ld.so.conf r
}
^--would be a working acl. Hope I helped
Michael
- michaeld
- Posts: 37
- Joined: Mon Feb 25, 2002 12:32 am
6 posts
• Page 1 of 1