In this example, all grsecurity sysctl options are enabled except:
/proc/sys/kernel/grsecurity/chroot_enforce_chdir
/proc/sys/kernel/grsecurity/chroot_deny_chroot
Logging into a machine with the jk_chrootsh shell:
- Code: Select all
Mar 12 12:44:41 localhost kernel: grsec: From 10.x.x.x: chdir to /usr/jail/home/corman by /usr/sbin/sshd[sshd:5590] uid/euid:500/500 gid/egid:500/500, parent /usr/sbin/sshd[sshd:5589] uid/euid:500/500 gid/egid:500/500
Mar 12 12:44:41 localhost kernel: grsec: From 10.x.x.x: exec of /usr/sbin/jk_chrootsh (-jk_chrootsh ) by /usr/sbin/sshd[sshd:5590] uid/euid:500/500 gid/egid:500/500, parent /usr/sbin/sshd[sshd:5589] uid/euid:500/500 gid/egid:500/500
Mar 12 12:44:41 localhost kernel: grsec: From 10.x.x.x: chdir to /usr/jail by /usr/sbin/jk_chrootsh[jk_chrootsh:5590] uid/euid:500/0 gid/egid:500/500, parent /usr/sbin/sshd[sshd:5589] uid/euid:500/500 gid/egid:500/500
Mar 12 12:44:41 localhost kernel: grsec: From 10.x.x.x: chdir to /usr/jail/home/corman by /usr/sbin/jk_chrootsh[jk_chrootsh:5590] uid/euid:500/500 gid/egid:500/500, parent /usr/sbin/sshd[sshd:5589] uid/euid:500/500 gid/egid:500/500
Mar 12 12:44:41 localhost kernel: grsec: From 10.x.x.x: exec of /usr/jail/bin/bash within chroot by process /usr/sbin/jk_chrootsh[jk_chrootsh:5590] uid/euid:500/500 gid/egid:500/500, parent /usr/sbin/sshd[sshd:5589] uid/euid:500/500 gid/egid:500/500
Mar 12 12:44:41 localhost kernel: grsec: From 10.x.x.x: exec of /usr/jail/bin/bash (/bin/bash ) by /usr/sbin/jk_chrootsh[jk_chrootsh:5590] uid/euid:500/500 gid/egid:500/500, parent /usr/sbin/sshd[sshd:5589] uid/euid:500/500 gid/egid:500/500
It logs the exec of the jk_rootsh shell, the chdirs, the exec of bash, and the exec of bash within the chroot, but it doesn't actually log the fact that jk_rootsh made a call to chroot()
Additionally, if the user executes a binary inside the jail that is a suid binary that makes a call to chroot() (ie: to break out of the chroot), it logs the chdirs enforced by grsecurity, but not the actual calls to chroot().
Example c code:
- Code: Select all
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
int main(int argc, char *const argv[])
{
int i;
setuid(0);
setgid(0);
chroot("/tmp");
for (i = 0; i < 100; i++)
chdir("..") ;
chroot(".");
execv("/bin/ls", argv);
printf("%s: %s\n", argv[0], strerror(errno));
exit(errno);
}
It's compiled, put as /bin/tester inside the chroot, and chmod'd to 4755. Here is the logs from exec from within the chroot:
- Code: Select all
Mar 12 12:45:25 localhost kernel: grsec: From 10.x.x.x: exec of /usr/jail/bin/tester within chroot by process /usr/jail/bin/bash[bash:5596] uid/euid:500/500 gid/egid:500/500, parent /usr/jail/bin/bash[bash:5590] uid/euid:500/500 gid/egid:500/500
Mar 12 12:45:25 localhost kernel: grsec: From 10.x.x.x: exec of /usr/jail/bin/tester (tester ) by /usr/jail/bin/bash[bash:5596] uid/euid:500/500 gid/egid:500/500, parent /usr/jail/bin/bash[bash:5590] uid/euid:500/500 gid/egid:500/500
Mar 12 12:45:25 localhost kernel: grsec: From 10.x.x.x: chdir to /usr/jail/home by /usr/jail/bin/tester[tester:5596] uid/euid:0/0 gid/egid:0/0, parent /usr/jail/bin/bash[bash:5590] uid/euid:500/500 gid/egid:500/500
Mar 12 12:45:25 localhost kernel: grsec: From 10.x.x.x: chdir to /usr/jail by /usr/jail/bin/tester[tester:5596] uid/euid:0/0 gid/egid:0/0, parent /usr/jail/bin/bash[bash:5590] uid/euid:500/500 gid/egid:500/500
Mar 12 12:45:25 localhost kernel: grsec: From 10.x.x.x: chdir to /usr by /usr/jail/bin/tester[tester:5596] uid/euid:0/0 gid/egid:0/0, parent /usr/jail/bin/bash[bash:5590] uid/euid:500/500 gid/egid:500/500
Mar 12 12:45:25 localhost kernel: grsec: From 10.x.x.x: chdir to / by /usr/jail/bin/tester[tester:5596] uid/euid:0/0 gid/egid:0/0, parent /usr/jail/bin/bash[bash:5590] uid/euid:500/500 gid/egid:500/500
Mar 12 12:45:25 localhost last message repeated 96 times
Mar 12 12:45:25 localhost kernel: grsec: From 10.x.x.x: exec of /bin/ls (tester ) by /usr/jail/bin/tester[tester:5596] uid/euid:0/0 gid/egid:0/0, parent /usr/jail/bin/bash[bash:5590] uid/euid:500/500 gid/egid:500/500
That's all good, but again, doesn't actually log the two calls to chroot().
If either chroot_enforce_chdir or chroot_deny_chroot are turned on, this binary doesn't work at all, which is the expected behavior. But the fact that chroot() was called, and did or didn't work isn't being logged.
I realize that properly enforcing TPE on users will prevent them from running their own code, but I'd still like to see the option for logging of the chroot() call, and whether or not it was successful.