grsecurity forums

[Einon]

After upgrading from 2.4.27 + gr 2.0.x to 2.4.29 + gr 2.1.3 I found that grsecurity denies accepts.

I turned on server socket restriction for group 33 (www-data) and after that apache stopped working.

Mar 22 11:03:40 rei kernel: grsec: attempted bind() by /usr/sbin/apache[apache:19249] uid/euid:33/33 gid/egid:33/33, parent /usr/sbin/apache[apache:18014] uid/euid:0/0 gid/egid:0/0

On the grsecurity mail list I found a solution for this:
http://grsecurity.net/pipermail/grsecur ... 00211.html

But since I don't use RBAC, and ACLs it does not help.
Any other way to solve this ?

[spender]

Why did you disable server sockets on something that you know needs to use them?

-Brad

[Einon]

I just copied the old config and got this problem.

On previous versions server sockets for www-data were disabled since apache started as root, bind() -ed to the http port and each incoming connection was accepted and passed to a child which was running as www-data.

Earlier www-data did not try to call bind()

[spender]

The code was changed a couple versions back to also disable accept()s and listen()s for the server socket restriction. This is in line with the intention of the feature. You'll want to disable that option if there are no groups on your system that need that restriction.

-Brad

[Bert]

The main problem is that apache normally never needs bind() but has to accept new connections via accept(). We want to disable abnormal functionality when somebody tries to install a bindshell or similar via apache and tries to run it.
So the real question is that how can be the old functionality restored? We would like to have apache using its own socket but disable creating new listening sockets.

[spender]

New server sockets can be created without bind. If listen/accept are called without bind, a temporary port will be opened up as a server socket.

-Brad