I have strange problem. RBAC looses roles for already runnning binaries, which were updated without restart.For example vsftpd, running from 07 Apr
- Code: Select all
# ps uax|grep vsftpd
root 8301 0.0 0.0 3520 852 ? Ss Apr07 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
- Code: Select all
# genlop vsftpd|tail -2
Sat Apr 12 23:42:03 2008 >>> net-ftp/vsftpd-2.0.6
- Code: Select all
ftp 192.168.78.1
Connected to 192.168.78.1 (192.168.78.1).
500 OOPS: failed to open vsftpd log file:/var/log/vsftpd.log
ftp> quit
- Code: Select all
[894314.417005] grsec: From 192.168.78.2: (root:U:/) denied access to hidden file /var/log by /usr/sbin/vsftpd[vsftpd:22613] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/vsftpd[vsftpd:8301] uid/euid:0/0 gid/egid:0/0
[894314.418165] grsec: (root:U:/) denied bind() to 0.0.0.0 port 21 sock type stream protocol tcp by /usr/sbin/vsftpd[vsftpd:8301] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[894314.418326] grsec: (root:U:/) denied bind() to 0.0.0.0 port 21 sock type stream protocol tcp by /usr/sbin/vsftpd[vsftpd:8301] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[894314.418424] grsec: (root:U:/) denied bind() to 0.0.0.0 port 21 sock type stream protocol tcp by /usr/sbin/vsftpd[vsftpd:8301] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[894314.418562] grsec: (root:U:/) denied bind() to 0.0.0.0 port 21 sock type stream protocol tcp by /usr/sbin/vsftpd[vsftpd:8301] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[894314.418655] grsec: more alerts, logging disabled for 10 seconds
- Code: Select all
0.000037 accept(3, 0xb207c794, [28]) = -1 EPERM (Operation not permitted)
0.000037 rt_sigprocmask(SIG_BLOCK, [CHLD], NULL, 8) = 0
0.000035 rt_sigprocmask(SIG_BLOCK, [HUP], NULL, 8) = 0
0.000034 rt_sigprocmask(SIG_UNBLOCK, [CHLD], NULL, 8) = 0
0.000035 rt_sigprocmask(SIG_UNBLOCK, [HUP], NULL, 8) = 0
0.000036 accept(3, 0xb207c794, [28]) = -1 EPERM (Operation not permitted)
0.000037 rt_sigprocmask(SIG_BLOCK, [CHLD], NULL, 8) = 0
0.000035 rt_sigprocmask(SIG_BLOCK, [HUP], NULL, 8) = 0
0.000034 rt_sigprocmask(SIG_UNBLOCK, [CHLD], NULL, 8) = 0
0.000034 rt_sigprocmask(SIG_UNBLOCK, [HUP], NULL, 8) = 0
0.000037 accept(3, 0xb207c794, [28]) = -1 EPERM (Operation not permitted)
I restarted vsftpd
- Code: Select all
voron grsec # /etc/init.d/vsftpd restart
* Stopping vsftpd ... [ ok ]
* Starting vsftpd ... [ ok ]
voron grsec # ps uax|grep vsftpd
root 23009 0.0 0.0 3560 844 ? Ss 12:18 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
root 23027 0.0 0.0 2052 708 pts/10 R+ 12:18 0:00 grep --colour=auto vsftpd
- Code: Select all
ftp 192.168.78.1
Connected to 192.168.78.1 (192.168.78.1).
220 (vsFTPd 2.0.6)
Name (192.168.78.1:voron):
530 Please login with USER and PASS.
SSL not available
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
- Code: Select all
[893745.130755] grsec: (root:U:/) denied bind() to 0.0.0.0 port 22 sock type stream protocol tcp by /usr/sbin/sshd[sshd:8053] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[893745.131023] grsec: (root:U:/) denied bind() to 0.0.0.0 port 22 sock type stream protocol tcp by /usr/sbin/sshd[sshd:8053] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
- Code: Select all
Apr 12 00:08:26 voron [419599.901054] grsec: From 92.49.242.4: (root:U:/sbin/gradm) grsecurity 2.1.11 RBAC system loaded by /sbin/gradm[gradm:31255] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:6550] uid/euid:0/0 gid/egid:0/0
- Code: Select all
[grsec: From 192.168.78.2: (voron:U:/) denied bind() to 192.168.78.1 port 56827 sock type stream protocol tcp by /usr/sbin/vsftpd[vsftpd:9592] uid/euid:1000/1000 gid/egid:100/100, parent /usr/sbin/vsftpd [vsftpd:9349]uid/euid:65534/65534 gid/egid:65534/65534