grsecurity forums

hello. i try to make gradm 1.4 on debian woody3.0 and got the following errors:

--
joker:~/gradm# make
/usr/bin/gcc -static -O2 -c -o y.tab.o y.tab.c
btyaccpa.ske:96: parse error before `yylval'
btyaccpa.ske:96: warning: data definition has no type or storage class
btyaccpa.ske:100: parse error before `yyretlval'
btyaccpa.ske:100: warning: data definition has no type or storage class
btyaccpa.ske:111: parse error before `yyparsestate'
btyaccpa.ske:111: warning: no semicolon at end of struct or union
btyaccpa.ske:115: parse error before `*'
btyaccpa.ske:115: warning: data definition has no type or storage class
btyaccpa.ske:117: parse error before `val'
btyaccpa.ske:117: warning: data definition has no type or storage class
btyaccpa.ske:120: parse error before `*'
btyaccpa.ske:120: warning: data definition has no type or storage class
btyaccpa.ske:125: parse error before `}'
btyaccpa.ske:128: parse error before `*'
------
and more more more. lex/flex and yacc installed. can anyone help to solve this trouble?

konsul

konsul wrote:hello. i try to make gradm 1.4 on debian woody3.0 and got the following errors:

--
joker:~/gradm# make
/usr/bin/gcc -static -O2 -c -o y.tab.o y.tab.c
btyaccpa.ske:96: parse error before `yylval'
btyaccpa.ske:96: warning: data definition has no type or storage class
btyaccpa.ske:100: parse error before `yyretlval'
btyaccpa.ske:100: warning: data definition has no type or storage class
btyaccpa.ske:111: parse error before `yyparsestate'
btyaccpa.ske:111: warning: no semicolon at end of struct or union
btyaccpa.ske:115: parse error before `*'
btyaccpa.ske:115: warning: data definition has no type or storage class
btyaccpa.ske:117: parse error before `val'
btyaccpa.ske:117: warning: data definition has no type or storage class
btyaccpa.ske:120: parse error before `*'
btyaccpa.ske:120: warning: data definition has no type or storage class
btyaccpa.ske:125: parse error before `}'
btyaccpa.ske:128: parse error before `*'
------
and more more more. lex/flex and yacc installed. can anyone help to solve this trouble?

Hi Konsul,

I was just some secs before saying "typical woody" ... I don't like woody. I've heard so many problems of any kind which I've never experienced with SID

root@codeman:[/tmp/gradm] # grep -r "1.4" *
gradm_defs.h:#define GR_VERSION "1.4"
root@codeman:[/tmp/gradm] # make
/usr/bin/gcc -static -O2 -c -o y.tab.o y.tab.c
/usr/bin/gcc -static -O2 -c -o lex.yy.o lex.yy.c
/usr/bin/gcc -static -O2 -c -o gradm_misc.o gradm_misc.c
/usr/bin/gcc -static -O2 -c -o gradm_parse.o gradm_parse.c
/usr/bin/gcc -static -O2 -c -o gradm_arg.o gradm_arg.c
/usr/bin/gcc -static -O2 -c -o gradm_pw.o gradm_pw.c
/usr/bin/gcc -static -O2 -c -o gradm_opt.o gradm_opt.c
/usr/bin/gcc -static -O2 -c -o gradm_cap.o gradm_cap.c
/usr/bin/gcc -static -O2 -c -o gradm_hash.o gradm_hash.c
/usr/bin/gcc -static -O2 -c -o gradm_adm.o gradm_adm.c
/usr/bin/gcc -static -O2 -c -o gradm_analyze.o gradm_analyze.c
/usr/bin/gcc -static -O2 -c -o gradm_res.o gradm_res.c
/usr/bin/gcc -static -O2 -o gradm y.tab.o lex.yy.o gradm_misc.o gradm_parse.o gradm_arg.o gradm_pw.o gradm_opt.o gradm_cap.o gradm_hash.o gradm_adm.o gradm_analyze.o gradm_res.o -lfl
root@codeman:[/tmp/gradm] # ./gradm
gradm 1.4
grsecurity administration program
.........
root@codeman:[/tmp/gradm] # ls -lsa gradm
476 -rwxr-xr-x 1 root root 485292 Sep 19 21:23 gradm


... works. gradm 1.4 downloaded some secs ago cause I use newest 1.5-rc4 thingies.

what is the "btyaccpa.ske" thing?!?! Maybe your version is messed up? Check the md5sum you can find on grsecurity.net download page against your downloaded package.

Also, just thinking about, maybe some "strange" locales?

try export LC_ALL="C" ... sometimes it helps. I've seen REALLY strange compile errors with anything else than C as locale

ciao, Marc

yep, you right. just a have installed btyacc which relink /usr/bin/yacc to another binary called 'btyacc' and btyacc.ske is part of these package. thank you very match.

konsul.

you people have such weird systems My system is not weird at all....here's a ps ax listing as "root" :

PID TTY STAT TIME COMMAND
2 ? SW 0:00 [keventd]
3 ? SWN 0:00 [ksoftirqd_CPU0]
4 ? SWN 0:00 [ksoftirqd_CPU1]
5 ? SW 0:01 [kswapd]
6 ? SW 0:00 [bdflush]
7 ? SW 0:00 [kupdated]
8 ? SW 0:00 [khubd]
9 ? SW 0:00 [kjournald]
941 ? SW 0:00 [kjournald]
29882 ? SW 0:00 [kjournald]
1478 ? SW 0:00 [kjournald]
9658 ? SW 0:00 [kjournald]
1193 ? SW 0:00 [kjournald]
1016 ? SW 0:00 [eth1]
6300 pts/1 S 0:00 -bash
21345 pts/1 R 0:00 ps ax

Strange...where's init and everything else?

For the record, I can hide the kernel processes as well with the ACL system, it just requires a line or two changed in the code. Hiding kernel processes will be supported in 1.9.8

Perhaps if I have time (i have to generalize it a bit) I'll post my ACL set. It's ~ 11KB, root has no privilege (all capabilities removed, and most things are hidden). Every daemon is running with least privilege, and RES_CRASH is set up properly on them, as well as IP acls. It contains ACLs for cvs, XFree86, modprobe, apache, perl, cron, klogd, syslogd, uw pop3s, openssh, login, init, getty, cvsweb, sympa, wwsympa, postfix, mysql, and inetd.

-Brad

spender wrote:you people have such weird systems My system is not weird at all....here's a ps ax listing as "root" :

My system is not weird at all too

spender wrote: PID TTY STAT TIME COMMAND
2 ? SW 0:00 [keventd]
3 ? SWN 0:00 [ksoftirqd_CPU0]
4 ? SWN 0:00 [ksoftirqd_CPU1]
5 ? SW 0:01 [kswapd]
6 ? SW 0:00 [bdflush]
7 ? SW 0:00 [kupdated]
8 ? SW 0:00 [khubd]
9 ? SW 0:00 [kjournald]
941 ? SW 0:00 [kjournald]
29882 ? SW 0:00 [kjournald]
1478 ? SW 0:00 [kjournald]
9658 ? SW 0:00 [kjournald]
1193 ? SW 0:00 [kjournald]
1016 ? SW 0:00 [eth1]
6300 pts/1 S 0:00 -bash
21345 pts/1 R 0:00 ps ax

Strange...where's init and everything else?

na, thats easy. I have almost the same output here (don't have SMP system)

spender wrote:For the record, I can hide the kernel processes as well with the ACL system, it just requires a line or two changed in the code. Hiding kernel processes will be supported in 1.9.8

*deleting my question* ... hmm, if that are just 2 changes in the code, why not into 1.9.7 final? I really want to the that feature soon

spender wrote:Perhaps if I have time (i have to generalize it a bit) I'll post my ACL set. It's ~ 11KB, root has no privilege (all capabilities removed, and most things are hidden). Every daemon is running with least privilege, and RES_CRASH is set up properly on them, as well as IP acls. It contains ACLs for cvs, XFree86, modprobe, apache, perl, cron, klogd, syslogd, uw pop3s, openssh, login, init, getty, cvsweb, sympa, wwsympa, postfix, mysql, and inetd.

Thanks, yep, just saw it on the ML. Looks nice.

ciao, Marc

because adding support for kernel thread ACLs requires a change in both userspace and the kernel. It also introduces a special process ACL name, that would need special handling (as it doesn't belong to anything on the filesystem)

I think people will like what's in store for 1.9.8 though


-Brad

BTW: current CVS is working well for you? I haven't gotten any response from anyone yet. It's working solid for me...I'm using 2.4.20-pre7 though, because 2.4.19 isn't stable. Want to make sure iit's because it actually works, and not because people are sleeping

-Brad

spender wrote:because adding support for kernel thread ACLs requires a change in both userspace and the kernel. It also introduces a special process ACL name, that would need special handling (as it doesn't belong to anything on the filesystem)

I think people will like what's in store for 1.9.8 though

Hey Brad

hmm ok, looking forward to 1.9.8. Say, can you make some "TODO" List available for us all to see whats upcoming in 1.9.8 ?

That would be great!

ciao, Marc

spender wrote:BTW: current CVS is working well for you? I haven't gotten any response from anyone yet. It's working solid for me...I'm using 2.4.20-pre7 though, because 2.4.19 isn't stable. Want to make sure iit's because it actually works, and not because people are sleeping

Hi Brad,

err, sorry, jep. It works well!! (for you, and also for me)

I think, so far, no problem for releasing 1.9.7.

And 110% agreed, 2.4.19 final is NOT stable

ciao, Marc