Grsec does something odd to sockets?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Grsec does something odd to sockets?

Postby devastor » Sat Dec 14, 2002 2:32 pm

Hi again,

I've encountered a new problem with 1.9.8rc1+2.4.20 :)
(I don't think i had this problem with earlier version)

I run sshd through xinetd and when people log in sshd shows their host
as UNKNOWN most of the time (for some reason not always).
Access to /var/run/utmp and /var/log/wtmp is granted for everybody.

I haven't enabled any grsec's network protections in kernel.
It doesn't matter if ACL is enabled or not.. Grsec doesn't give any errors
(not even with debugging enabled), but with a kernel with exactly the
same configuration, just without grsec, things work just fine..

Also if I start sshd in a standalone mode when grsec is enabled it shows user's
hostname without any problems..
I checked out opensshd's code and it seems that it gives UNKNOWN host if it thinks
that the connection is not on a socket.. and that's figured out by checking if
input file descriptor is the same as output file descriptor.. When run through xinetd when
grsec is enabled input fd is different than output fd, for some reason..

Any ideas what might cause that? I've tried just about everything but still haven't
figure out what could be the problem.. Hopefully this can be solved without having
a need to reboot the system :)

I've the same problem with 3 computers, maybe somebody else could try to
reproduce this problem, too?

Thanks,

Tuomas Silen
devastor
 
Posts: 41
Joined: Fri Oct 11, 2002 5:07 pm

xinetd+sshd+grsec

Postby FrackMacker » Thu Dec 18, 2003 3:43 pm

w0w, yes I know this is a long time for such a reply.. but I have had similar problems and wanted others to know about possible solutions, because you did not get any responses when you posted this.. try disabling CONFIG_GRKERNSEC_PAX_RANDKSTACK

--Josha
FrackMacker
 
Posts: 1
Joined: Thu Dec 18, 2003 12:30 pm

Postby devastor » Fri Dec 19, 2003 6:02 pm

Heh, indeed that was more than a year ago ;)
Can't remember anymore how far i debugged it..
but since that i've just run xinetd in standalone mode and there it works fine.
I prefer that to disabling randomization of kernel stack :)
devastor
 
Posts: 41
Joined: Fri Oct 11, 2002 5:07 pm


Return to grsecurity support