grsecurity forums


https://forums.grsecurity.net./

CONFIG_GRKERNSEC_CHROOT_FINDTASK problem

https://forums.grsecurity.net./viewtopic.php?f=1&t=672

Page 1 of 1

CONFIG_GRKERNSEC_CHROOT_FINDTASK problem

PostPosted: Mon Jan 19, 2004 7:59 pm
by NowakPL
CONFIG_GRKERNSEC_CHROOT_FINDTASK:
If you say Y here, processes inside a chroot will not be able to kill, send signals with fcntl, ptrace, capget, setpgid, getpgid, getsid, or view any process outside of the chroot.

There is a problem with defunct processes outside chroot:
root@mac:~# mount -t proc none /md0/chroot/proc
root@mac:~# chroot /md0/chroot
root@mac:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 20380 13.0 0.4 3872 2352 ? S 00:04 0:00 /bin/bash -i
root 9203 0.0 0.1 2936 924 ? R 00:04 0:00 ps aux
root@mac:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 20380 1.4 0.4 3872 2352 ? S 00:04 0:00 /bin/bash -i
root 28536 0.0 0.0 0 0 ? Z 00:04 0:00 [dovecot-auth] <defunct>
root 17642 0.0 0.1 2964 924 ? R 00:04 0:00 ps aux
root@mac:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 20380 0.8 0.4 3872 2352 ? S 00:04 0:00 /bin/bash -i
root 12043 0.0 0.1 2984 920 ? R 00:04 0:00 ps aux
root@mac:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 20380 0.6 0.4 3872 2352 ? S 00:04 0:00 /bin/bash -i
root 24600 0.0 0.0 0 0 ? Z 00:04 0:00 [watchdog] <defunct>
root 4386 0.0 0.1 2972 924 ? R 00:04 0:00 ps aux

Re: CONFIG_GRKERNSEC_CHROOT_FINDTASK problem

PostPosted: Mon Jan 26, 2004 4:37 am
by purel
NowakPL wrote:CONFIG_GRKERNSEC_CHROOT_FINDTASK:
If you say Y here, processes inside a chroot will not be able to kill, send signals with fcntl, ptrace, capget, setpgid, getpgid, getsid, or view any process outside of the chroot.

There is a problem with defunct processes outside chroot:
root@mac:~# mount -t proc none /md0/chroot/proc
root@mac:~# chroot /md0/chroot
root@mac:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 20380 13.0 0.4 3872 2352 ? S 00:04 0:00 /bin/bash -i
root 9203 0.0 0.1 2936 924 ? R 00:04 0:00 ps aux
root@mac:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 20380 1.4 0.4 3872 2352 ? S 00:04 0:00 /bin/bash -i
root 28536 0.0 0.0 0 0 ? Z 00:04 0:00 [dovecot-auth] <defunct>
root 17642 0.0 0.1 2964 924 ? R 00:04 0:00 ps aux
root@mac:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 20380 0.8 0.4 3872 2352 ? S 00:04 0:00 /bin/bash -i
root 12043 0.0 0.1 2984 920 ? R 00:04 0:00 ps aux
root@mac:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 20380 0.6 0.4 3872 2352 ? S 00:04 0:00 /bin/bash -i
root 24600 0.0 0.0 0 0 ? Z 00:04 0:00 [watchdog] <defunct>
root 4386 0.0 0.1 2972 924 ? R 00:04 0:00 ps aux


have you tried with chroot_caps disabled???

i've had a similar problem with chroot_caps. most of the standard
applications didn't work properly inside chroot and after disabling it worked just fine....
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/