[access denied with samba server] samba - grsec - acl

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

[access denied with samba server] samba - grsec - acl

Postby evaleto » Tue Mar 23, 2004 2:38 pm

Hello,
I'm using gentoo with linux-2.4.24-grsec-1.9.13 kernel. I have configured the ACL for all services (Apache, login, sshd, postfix, etc.) and it eems to work :)

But I have a problem with samba. With the ACL activated (gradm -E) I can't browse the samba server. I have this dmesg log:

Code: Select all
grsec: From 192.168.1.45: attempted bind to 127.0.0.1 port 0 sock type 2 protocol 17 by (smbd:1623) UID(0) EUID(0), parent (smbd:1374) UID(0) EUID(0)


But if I desactivate the ACL (gradm -D) I can connect to the samba server and after reactivating the gradm -E, strangly I can browse on the samba shares. The problem is on the first connection, and I can't find any solution.

Here my ACL configuration for samba:
Code: Select all
/usr/sbin/smbd oXA {
        /dev/log  rw
        /usr/share r
        /etc r
        /etc/grsec h
        /etc/ld.so.cache r
        /etc/samba/private/ rw
        /tmp rwx
        /lib rx
        /usr/lib rx
        /var/log/samba a
        /var/run/samba.pid w
        /var/cache/samba/ rw
        /var/www rw
        /dev/null rw
        /bin/bash x
        /usr/sbin/smbd x
        /

        -CAP_ALL
        +CAP_DAC_OVERRIDE
        +CAP_KILL
        +CAP_SETGID
        +CAP_SETUID
        +CAP_NET_BIND_SERVICE

        RES_CRASH 1 10m

        connect {
                192.168.1.0/24:137 dgram udp
                192.168.1.0/24:138 dgram udp
                192.168.1.0/24:139 dgram udp
                192.168.1.0/24:445 dgram udp
                192.168.1.0/24:515 dgram udp
                0.0.0.0/0:0-61024 dgram udp
        }

        bind {
                192.168.1.0/24:137 stream tcp
                192.168.1.0/24:138 stream tcp
                192.168.1.0/24:139 stream tcp
                192.168.1.0/24:445 stream tcp
                192.168.1.0/24:515 stream tcp
                0.0.0.0/0:0-61024 stream tcp
        }
}


Olivier
evaleto
 
Posts: 2
Joined: Tue Mar 23, 2004 2:20 pm

Postby spender » Wed Mar 24, 2004 8:39 am

protocol 17 is udp, so you need to add to your bind rules:

127.0.0.1:0 dgram udp

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby fwiffo » Wed Mar 24, 2004 5:36 pm

I just don't want to seem a little paranoid, but....why allowing bind for single range of a LAN address and then allow binding from the whole ipv4 address space in almost all ports?! it doesn't make any sense.....in terms of security, and I bet in terms of practical use as well....
I bet that this samba servers is only needed in the LAN, no use to bind to all the addresses (at least in the TCP case, I know that SAMBA opens 0.0.0.0 UDP even if you specify otherwise in his binding options)
fwiffo
 
Posts: 10
Joined: Fri Mar 12, 2004 6:50 pm

ACL is complex because the learning mode doesn't work

Postby evaleto » Thu Mar 25, 2004 7:37 am

I just don't want to seem a little paranoid, but....why allowing bind for single range of a LAN address and then allow binding from the whole ipv4 address space in almost all ports?! it doesn't make any sense.....in terms of security, and I bet in terms of practical use as well....
I bet that this samba servers is only needed in the LAN, no use to bind to all the addresses (at least in the TCP case, I know that SAMBA opens 0.0.0.0 UDP even if you specify otherwise in his binding options)

You are right, it was just for testing. Because I can't use the LEARNING mode to generate the acl file. When I activate the LEARN mode I can only see results in /var/log/kern.log.
In fact, I do:
1) add "l" in /etc/grsec/gentoo/grsecurity-base-policy/samba.acl
2) gradm -E
3) gradm -a
4) I use the application for a while
5) gradm -D
6) gradm -L/var/log/kern.log -O samba.acl
My result is the same ACL file without the "l" ????


Just a little problem, I use syslog-ng and gradm -L want to load syslog.conf, so I have add /etc/syslog.conf with the good configuration. And it seems to be ok.

So my question is why I can make my ACL files in LEARNING mode?

Thank's a lot,
Olivier
evaleto
 
Posts: 2
Joined: Tue Mar 23, 2004 2:20 pm

Postby fwiffo » Tue Mar 30, 2004 3:23 pm

Maybe you're doing something wrong, in learning mode it will try to add permissions to objects in your system(s) by checking when this or that tries to access something in the wild, so it adds permission to that thing, if you have an ACL "READY" for use, but with something that isn't really good of something added but that isn't really needed it won't remove it from your original ACL, instead, it will modify your ACLs to suit actions taken by your programs, if there isn't something accessible or usable that should be so....OK I hope to have been clear enough....

simple:
just make an EMPTY ACL file:
samba.acl:

/usr/sbin/smbd lo {
/ h (I think it's a good idea, it will make readable/viewable only the dirs/files really needed)
connect {
}
bind {
}
}

/usr/sbin/nmbd lo {
/ h (I think it's a good idea, it will make readable/viewable only the dirs/files really needed)
connect {
}
bind {
}
}

from this point you should use the service for AT LEAST one day, and use it very much in that day, not just a minute, so that the rules will become almost perfect, then I would do a final check, basing it from a point of view on how the service is configured, if something is missing or there are excessive permissions to certain objects (shouldn't, anyway).....etc...
GOOD LUCK ;)
fwiffo
 
Posts: 10
Joined: Fri Mar 12, 2004 6:50 pm


Return to grsecurity support

cron