grsecurity forums

Posted: **Sun Jul 03, 2005 3:17 pm**

Some programs need the CAP_KILL capability in order to be able to stop/restart the program (for example Apache2: '(root:U:/usr/sbin/apache2) use of CAP_KILL denied for /usr/sbin/apache2[apache2:25987] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0'). Is there any way to avoid giving a program the CAP_KILL capability and still being able to stop/restart it?

Posted: **Fri Jul 08, 2005 5:18 pm**

Were you trying to restart apache from the admin role?

-Brad

Posted: **Sun Jul 17, 2005 5:41 am**

The problem seems to have been caused by this line:

(root:U:/usr/sbin/apache2) denied unlink of /var/run/apache2.pid by /usr/sbin/apache2[apache2:2185] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

I have no idea why I didn't notice it before...

Edit: Now I know why: "grsec: more alerts, logging disabled for 10 seconds". Before I had more Apache deamons running when I killed the process, now only two.

Posted: **Sat Jul 23, 2005 12:13 pm**

And yet...

Jul 23 18:15:30 megumi grsec: From *.*.*.*: (root:U:/sbin/gradm) successful change to special role admin (id 10) by /sbin/gradm[gradm:10215] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:24676] uid/euid:0/0 gid/egid:0/0
Jul 23 18:16:36 megumi grsec: (root:U:/usr/lib/postfix/master) use of CAP_KILL denied for /usr/lib/postfix/master[master:25568] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Jul 23 18:16:36 megumi grsec: (root:U:/usr/lib/postfix/master) use of CAP_KILL denied for /usr/lib/postfix/master[master:25568] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Jul 23 18:16:36 megumi grsec: (root:U:/usr/lib/postfix/master) use of CAP_KILL denied for /usr/lib/postfix/master[master:25568] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

There are no more messages... The errors are logged while restarting postfix (/etc/init.d/postfix restart).

Posted: **Tue Aug 02, 2005 7:04 pm**

Some daemons contain code to restart themselves instead of having it done within an init script that kills and re-executes the daemon. For these, all that can be done currently is disable the RBAC system while the daemons are being restarted, or give the daemons permission to restart themselves.

-Brad

Posted: **Sat Apr 15, 2006 9:05 am**

More on the weird behavior of apache2:
gradm -a admin
/etc/init.d/apache2 start
gradm -u
<apache2 running as www-data>
gradm -a admin
/etc/init.d/apache stop
grsec: From 82.228.48.220: (default:D:/) use of CAP_KILL denied for /usr/sbin/apache2[apache2:23455] uid/e
uid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
grsec: From 82.228.48.220: (default:D:/) denied unlink of /srv/http/var/run/apache2.pid by /usr/sbin/apach
e2[apache2:18072] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

which means its a reparented apache2 process running as root without the admin role which tryes to kill the running apache.

As a consequence, one has to allow root to kill apache, or to disable rbac to kill apache2 properly.
I think I'll forfeit the init.d script and use killall rather...

grsecurity forums

Restarting services

Restarting services