grsecurity forums


https://forums.grsecurity.net./

Debian + apache + php + grsec kernel = Prob

https://forums.grsecurity.net./viewtopic.php?f=3&t=1227

Page 1 of 1

Debian + apache + php + grsec kernel = Prob

PostPosted: Sun Jun 12, 2005 12:23 pm
by Maffen
Hello,

I have a strange problem.
I have upgrade my debian woody system to sarge.
But now i have a problem, apache won't start:

Code: Select all
Configuration syntax error detected. Not reloading.

Syntax error on line 245 of /etc/apache/httpd.conf:
Cannot load /usr/lib/apache/1.3/libphp4.so into server: /usr/lib/i586/libcrypto.so.0.9.6: cannot make segment writable for relocation: Permission denied


line 245 is the line for loading the php4 module.

I did with chpax all the permissions of, but still i doesn't work.
I reinstalled apache + php, same problem...
ldd give me this:

Code: Select all
eleanor:~# ldd -r /usr/lib/apache/1.3/libphp4.so
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x21fe6000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x22013000)
        libexpat.so.1 => /usr/lib/libexpat.so.1 (0x22029000)
        libmm.so.11 => /usr/lib/libmm.so.11 (0x22049000)
        libm.so.6 => /lib/libm.so.6 (0x2204d000)
        libdb2.so.2 => /lib/libdb2.so.2 (0x2206f000)
        libbz2.so.1.0 => /usr/lib/libbz2.so.1.0 (0x220b7000)
        libz.so.1 => /usr/lib/libz.so.1 (0x220c6000)
        libssl.so.0.9.6 => /usr/lib/i586/libssl.so.0.9.6 (0x220d9000)
        libcrypto.so.0.9.6 => /usr/lib/i586/libcrypto.so.0.9.6 (0x22105000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x221b7000)
        libdl.so.2 => /lib/libdl.so.2 (0x221c9000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x221cc000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x221e1000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x2224a000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x2226d000)
        libc.so.6 => /lib/libc.so.6 (0x22270000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x12659000)
/usr/lib/apache/1.3/libphp4.so: error while loading shared libraries: /usr/lib/i586/libcrypto.so.0.9.6: cannot make segment writable for relocation: Permission denied


Debian 3.1 Sarge
Apache: Apache/1.3.33 (Debian GNU/Linux)
PHP4: 4.3.11-0.dotdeb.0
kernel: Linux eleanor 2.4.29-grsec #3 Thu Mar 24 15:45:41 CET 2005 i586 GNU/Linux
Web packages from dotdeb.org

I this a known problem?

This is the grsecurity part of my .config.

Code: Select all
#
# Grsecurity
#
CONFIG_GRKERNSEC=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_SHA256=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# PaX Control
#
# CONFIG_GRKERNSEC_PAX_SOFTMODE is not set
CONFIG_GRKERNSEC_PAX_EI_PAX=y
CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS=y
CONFIG_GRKERNSEC_PAX_NO_ACL_FLAGS=y
# CONFIG_GRKERNSEC_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_GRKERNSEC_PAX_HOOK_ACL_FLAGS is not set

#
# Address Space Protection
#
CONFIG_GRKERNSEC_PAX_NOEXEC=y
CONFIG_GRKERNSEC_PAX_PAGEEXEC=y
CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
# CONFIG_GRKERNSEC_PAX_EMUTRAMP is not set
CONFIG_GRKERNSEC_PAX_MPROTECT=y
CONFIG_GRKERNSEC_PAX_NOELFRELOCS=y
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
# CONFIG_GRKERNSEC_BRUTE is not set
# CONFIG_GRKERNSEC_HIDESYM is not set

#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=1001
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
# CONFIG_GRKERNSEC_PROC_IPADDR is not set
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
# CONFIG_GRKERNSEC_SHM is not set
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDSRC=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
# CONFIG_GRKERNSEC_SYSCTL is not set

#
# Logging options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

PostPosted: Sun Jun 12, 2005 3:03 pm
by Hal9000
why in hell are you using doteb packages on a sarge system?
those packages are intended for use on woody systems. upgrade those packages to debian sarge packages, they are at about the same level but officially supported and thus stable.
i have been using sarge for several months without problems with grsec.

Re: Debian + apache + php + grsec kernel = Prob

PostPosted: Mon Jun 13, 2005 7:13 am
by PaX Team
Maffen wrote:line 245 is the line for loading the php4 module.

I did with chpax all the permissions of, but still i doesn't work.
what did you chpax and how?
Code: Select all
/usr/lib/apache/1.3/libphp4.so: error while loading shared libraries: /usr/lib/i586/libcrypto.so.0.9.6: cannot make segment writable for relocation: Permission denied


Debian 3.1 Sarge
Apache: Apache/1.3.33 (Debian GNU/Linux)
PHP4: 4.3.11-0.dotdeb.0
kernel: Linux eleanor 2.4.29-grsec #3 Thu Mar 24 15:45:41 CET 2005 i586 GNU/Linux
Web packages from dotdeb.org

I this a known problem?

This is the grsecurity part of my .config.

Code: Select all
CONFIG_GRKERNSEC_PAX_NOELFRELOCS=y
did you read help for that option? and as a general note, there's no text relocation free distro out there yet (although quite some progress has been made in hardened gentoo), so you must really heed that warning in the help.

PostPosted: Mon Jun 13, 2005 11:20 am
by Maffen
chpax -pemrxs /usr/lib/apache/1.3/libphp4.so
chpax -pemrxs /usr/lib/i586/libcrypto.so.0.9.6

I turned all permissions off, for knowing sure what the problem was.

And for the help, no i didn't, i used the default options from the guide (.PDF).
So if i turn that option off, and recompile the kernel, it will be solved?

Greetzz,
Maffen

PS.
My apologies for my bad english, my langues are not my best firend.. ;)

PostPosted: Mon Jun 13, 2005 11:37 am
by PaX Team
Maffen wrote:chpax -pemrxs /usr/lib/apache/1.3/libphp4.so
chpax -pemrxs /usr/lib/i586/libcrypto.so.0.9.6

I turned all permissions off, for knowing sure what the problem was.
and that of course won't do much because the PaX flags are taken only from the main executable, never from shared libraries.
And for the help, no i didn't, i used the default options from the guide (.PDF).
which guide was that?
So if i turn that option off, and recompile the kernel, it will be solved?
yes.

PostPosted: Mon Jun 13, 2005 1:08 pm
by Maffen
http://www.grsecurity.org/quickstart.pdf This one :)
I will recompile the kernel, but first my examens from school...

PostPosted: Mon Jun 13, 2005 2:34 pm
by PaX Team
that one doesn't explicitly suggest anything about NOELFRELOCS, i guess spender needs to update it ;-).
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/