grsecurity forums


http://forums.grsecurity.net./

acl and startx

http://forums.grsecurity.net./viewtopic.php?f=5&t=201

Page 1 of 1

acl and startx

PostPosted: Sat Nov 02, 2002 9:22 pm
by pasholy
Hi: my startx doesn't work with acls. This is my acl

/ {
/ r
/opt rx
/home rwx
/mnt rw
/dev rw
/dev/mem h
/dev/kmem h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/proc rwx
/proc/sys r
/root r
/tmp rw
/var rwx
/var/tmp rw
/var/log ra
/boot r
/etc/grsec h


/var/log/wtmp rw
/var/log/faillog rw
/var/log/lastlog rw
/sbin/reboot h
/sbin/shutdown h

-CAP_LINUX_IMMUTABLE
-CAP_MKNOD
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
}

/usr/X11R6/bin/startx {
/ rwxoi
}

when i run startx i get :

grsec: attempt to open /var/log/XFree86.0.log for writing by (X:401) UID(1000) EUID(0), parent (xinit:400) UID(1000) EUID(1000)

Fatal server error:
Cannot open log file "/var/log/XFree86.0.log"


When reporting a problem related to a server crash, please send
the full server output, not just the last messages.
Please report problems to xfree86@xfree86.org.

giving up.
xinit: No such file or directory (errno 2): unable to connect to X server
xinit: No such process (errno 3): Server error.

I tried changing startx to :

/usr/X11R6/bin/startx {
/usr/X11R6/bin/xinit rxi
/var/log/XFree86.0.log rwxoi
}

still the same thing.

How do I change the acl so that everything that startx runs has access to
everything on / ?. Because I think that xinit runs a bunch of other programs and those programs might run other programs. I want to make everything after startx have access to everything on the root directory.

PostPosted: Sun Nov 03, 2002 12:47 am
by spender
you're putting the inherit mode on a log, not something that can be executed. I would recommend not putting an ACL on startx as it's only a script. You should put the ACL on the /usr/X11R6/bin/XFree86 binary.

-Brad

startx and xinit

PostPosted: Sun Nov 03, 2002 9:22 pm
by pasholy
I tried putting in two rules instead of the startx

/usr/X11R6/bin/XFree86 {
/ rwxoi
}

and that gives me the same error as above.

/usr/X11R6/bin/XFree86 {
/var/log/XFree86.0.log rwxoi
}
and that gives me a new error.

(==) Log file: "/var/log/XFree86.0.log", Time: Mon Nov 4 18:13:19 2002
(==) Using config file: "/etc/X11/XF86Config"
grsec: attempt to access hidden file [16:01:610] by (X:22959) UID(1000) EUID(0), parent (xinit:22958) UID(1000) EUID(1000)

Fatal server error:
xf86EnableIOPorts: Failed to set IOPL for I/O


When reporting a problem related to a server crash, please send
the full server output, not just the last messages.
This can be found in the log file "/var/log/XFree86.0.log".
Please report problems to xfree86@xfree86.org.

XIO: fatal IO error 104 (Connection reset by peer) on X server ":1.0"
after 0 requests (0 known processed) with 0 events remaining.


isn't there a way for everything ran by XFree86 to inherit everything in the root directory, so that I don't have to specify rules for all of the subproceses?

thanks.

PostPosted: Sun Nov 03, 2002 9:24 pm
by spender
you don't have o in the subject mode, so it's inheriting ACLs. A gradm -T would have confirmed this. Try this for your ACL:

/usr/X11R6/bin/XFree86 {
/var/log/XFree86.0.log rw
/var/log/XFree86.1.log rw
/dev/mem rwo

+CAP_CHOWN
+CAP_SETUID
+CAP_SETGID
+CAP_DAC_OVERRIDE
+CAP_SYS_RAWIO
+CAP_SYS_MODULE
+CAP_SYS_NICE
}

PostPosted: Sun Nov 03, 2002 10:04 pm
by pasholy
/usr/X11R6/bin/XFree86 {
/var/log/XFree86.0.log rw
/var/log/XFree86.1.log rw
/dev/mem rwo

+CAP_SYS_RAWIO
}

Did the trick. I'm still
a little confused as to how +CAP_SYS_RAWIO did that.

Thanks a lot for the help Spender.

PostPosted: Sun Nov 03, 2002 11:22 pm
by spender
you need CAP_SYS_RAWIO to modify block devices or other special devices like /dev/kmem and /dev/mem.

-Brad
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/