help needed with debian DSL start and stop scripts

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

help needed with debian DSL start and stop scripts

Postby weeny » Wed Jan 14, 2004 7:50 pm

Hi everybody,

has anyone experience with pon and poff scripts from debian in a grsecurity environment? My DSL connected server runs fine for a couple of days after disconnection my bash link-control scripts cannot bring up the dsl again...

seems to be a permission problem with pppd and pon/poff and ifconfig

grsec: From 192.168.100.99: denied access to hidden file /lib/ld-2.2.5.so by (sh:9463) UID(0) EUID(0), parent (pppd:9462) UID(0) EUID(0)

although i have /lib rx in the default rule i get the deny all the time

I tried to run:
/usr/sbin/pppd lo {
/ h
/lib/ld-2.2.5.so rx
-CAP_ALL
+CAP_FSETID
+CAP_SETUID
+CAP_NET_ADMIN
+CAP_SETGID
}

(...i found some denies to CAP_FSETID,CAP_SETUID, CAP_SETGID,CAP_NET_ADMIN in dmesg so i put the in the file and switched on learning mode)

Although i am running learning mode it is not possible to bring up DSL again. If DSL is running and i switch on grsecurity afterwards everything is fine until the line is disconnected :evil:

Any suggestions? :-?

regards

weeny
weeny
 
Posts: 11
Joined: Fri Nov 21, 2003 4:26 am

fixed it....

Postby weeny » Mon Jan 19, 2004 5:30 am

Hi i found the mistake by mysself...

The scripts pon and poff are calling three programms:

ifconfig,pppd and pppoe

Because i forgot to switch on pppoe learning mode i could not bring up the ppp0 interface. After i added pppoe lthe earning mode gave me the following three sections (maybe they need to be adjusted....please feel free to comment on security:)

/usr/sbin/pppd o {
/var/run/pppd.tdb rw
/var/run/ppp0.pid w
/var/log/ppp-connect-errors a
/usr/share/zoneinfo/Europe/Berlin r
/usr/lib/libpcap.so.0.6.2 rx
/proc/net/route r
/lib
/lib/libpam.so.0 rx
/lib/libdl.so.2 rx
/lib/libcrypt.so.1 rx
/usr/lib/libpcap.so.0 rx
/lib/libc.so.6 rx
/lib/ld-linux.so.2 rx

/etc/ppp/peers/dsl-provider r
/etc/ppp/pap-secrets r
/etc/ppp/options r
/etc/ppp/ip-up x
/etc/ppp/ip-down x
/etc/ppp/chap-secrets r
/dev/pts/0 rw
/dev/ptmx rw
/dev/ppp rw
/dev/null rw
/dev/log rw
/bin/bash x
/usr/sbin/pppd x
/lib/ld-2.2.5.so rx
/
-CAP_ALL
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_NET_ADMIN
}
/sbin/ifconfig o {
/proc/net/unix r
/proc/net/dev r
/proc/net r
/lib/libc-2.2.5.so rx
/etc/ld.so.cache r
/sbin/ifconfig x
/lib/ld-2.2.5.so rx
/
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_ADMIN
}

/usr/sbin/pppoe o {
/usr/share/zoneinfo/Europe/Berlin r
/lib/libc-2.2.5.so rx
/lib/ld-2.2.5.so x
/etc/ld.so.cache r
/dev/log rw
/usr/sbin/pppoe x
/ h
-CAP_ALL
+CAP_NET_ADMIN
+CAP_NET_RAW

connect {
disabled
}

bind {
0.0.0.0:0 dgram ip
}

}

regards

weeny
weeny
 
Posts: 11
Joined: Fri Nov 21, 2003 4:26 am


Return to grsecurity support