grsecurity forums

[marcinek]

Hi
maybe i`m wrong but , acl`s lacks pipe support

here is my postfix acl:

/usr/lib/posfix/smtp {

/ rwxoi

+CAP_ALL

}

Aug 25 15:08:51 kernel: grsec: attempt to load writable library [03:05:32007] by (smtp:26390) UID(101) EUID(101),
+parent (master:5191) UID(0) EUID(0)

debug1: 5:33:30G_NEWKEYS repostfix/qmgr[30510]: warning: private/smtp socket: malformed response


--snip--

learning mode not help , maybe someone have got acl's for postfix

[spender]

that's a pretty ugly ACL (it doesn't restrict anything), but the problem you are having is that postfix is trying to load a library that is writable in the acl for /. Do a find -inum 32007 on the partition that corresponds to the device 03:05 (/dev/hda5 i think) to find the library it was trying to load, and then fix your ACL for / so that write access is not allowed.

-Brad

[marcinek]

ok , here is new lino of acl`s for rw lib :
/var/spool/postfix/lib rwxi

but ....

ug 26 10:49:05 postfix/qmgr[30510]: C928EF2F3: from=<root@intercaffe.metronet.pl>, size=314, nrcpt=1 (queue active)
Aug 26 10:49:05 postfix/smtp[20199]: fatal: unknown service: smtp/tcp
Aug 26 10:49:06 postfix/qmgr[30510]: warning: premature end-of-input from private/smtp socket while reading input attribute name
Aug 26 10:49:06 postfix/qmgr[30510]: warning: private/smtp socket: malformed response

and ..
Here are new errors

[hightower]

ok , here is new lino of acl`s for rw lib :
/var/spool/postfix/lib rwxi

but ....

ug 26 10:49:05 postfix/qmgr[30510]: C928EF2F3: from=<root@intercaffe.metronet.pl>, size=314, nrcpt=1 (queue active)
Aug 26 10:49:05 postfix/smtp[20199]: fatal: unknown service: smtp/tcp
Aug 26 10:49:06 postfix/qmgr[30510]: warning: premature end-of-input from private/smtp socket while reading input attribute name
Aug 26 10:49:06 postfix/qmgr[30510]: warning: private/smtp socket: malformed response

and ..
Here are new errors

Hi Marcinek,

as Brad says:

> ...
> to load, and then fix your ACL for / so that write access is not allowed.

Read it carefully

It may be helpfull if you post your complete ACL file.

Anyway, this looks like your ACL for postfix is not able to view /etc/services, therefore you get the error of unknown service smtp/tcp.

You should have a rule for / like this:

/ {
...
/etc r
...
}

Even if you don't want this for all, set /etc ro to your postfix ACL.

Also, if you get messages like "grsec: attempt to load writable library ..."
this means, it should _NOT_ have write (w) access to the libraries it uses!

Also +CAP_ALL is not needed. You maybe only want +CAP_NET_BIND_SERVICE.

I am pretty sure the ACL learning stuff will tell you the right things.

ciao, Marc

[marcinek]

Hi again

learning not help , I was create learning objects for all postfix daemons
but this not helps , postfix works fine , but don't send mails :<
I ` m think learning mode not create +CAP_CHROOT , maybe someone have learning mode have got postfix acl?

[spender]

/usr/lib/postfix o {
/var/spool/postfix rw
/dev/null rw
/ h
/dev/log
/etc/aliases
/etc r
/etc/ld.so.cache rx
/lib/ld-2.2.5.so x
/lib rx
/usr/lib rx
/usr/lib/postfix x
/usr/lib/sympa/bin/queue x
/usr/share/zoneinfo/US/Eastern r
/var/mail w
/var/spool/postfix/etc/hosts r
/var/spool/postfix/etc/localtime r
/var/spool/postfix/etc/resolv.conf r
/var/spool/postfix/etc/services r
/var/spool/postfix/lib/libnss_dns-2.2.5.so rx
/var/spool/postfix/lib/libnss_files-2.2.5.so rx
/var/tmp
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT

connect {
0.0.0.0/0:25 stream tcp
0.0.0.0/0:53 dgram udp
}

bind {
disabled
}
}

[marcinek]

Hi
thx Brad , but this is only acl`s for one daemon , I have a problem with smtp (he don`t send mails) , even in learning mode enabled for all postfix daemons .

[spender]

No, it's for all the postfix daemons. They all live in /usr/lib/postfix. This ACL is for that directory, so it applies to all the daemons.

-Brad

[marcinek]

Hi again

This is new error , maybe i have old version of grsecurity .
"0.0.0.0/0" caused a parse error on line 30 of /etc/grsec/b
My grsecurity cvs date is 24 aug .

[Sea-you]

Spender ur gr8

[marcinek]

Yes he is the best .
All works on new 1.9.7rc3