grsecurity forums

When enabling CONFIG_GRKERNSEC_CHROOT_FINDTASK, grsec complains about processes piping to another when they are started from a bash login shell, in my particular case being spawned by a chrooted sshd.

Example:

Code: Select all

# echo test |grep test
-bash: child setpgid (28927 to 28926): Operation not permitted
test

Strangely enough, this does not happen when the processes are started from a different shell, like zsh. It's just bash making trouble. Well, most of the time at least. There are no problems with piping in bash shell scripts:

Code: Select all

#!/bin/bash
echo test |grep test

This works without complaining.

Also, no problems with directly running

Code: Select all

chroot /chroot echo test |grep test

from outside the chroot environment.

I've searched high and low for other people having the same problem. All I came up with is a discussion on the grsec mailing list, which has remotely to do with the topic (bash oddities, that is): http://www.grsecurity.net/pipermail/grs ... 00522.html

As I could reproduce that issue in combination with bash as well, I disabled random PIDs, however, as expected this did not resolve my actual problem ;-).

Tested with 2.6.17.11-grsec. Insights, anyone? (besides changing the login shell)

Sorry if I'm overlooking something obvious.

I'm still at a loss with this one. You might have noticed, that the grep was actually executed in the previous example.

However, when e. g. piping into less this is not the case:

Code: Select all

$ cat file |less

will die after the setpgid error.

Weird: The setpgid error does not always raise, just in about 90% percent of tries. For illustration:

Code: Select all

[...]
$ echo |wc -l
-bash: child setpgid (16276 to 16275): Operation not permitted
1
$ echo |wc -l
-bash: child setpgid (16278 to 16277): Operation not permitted
1
$ echo |wc -l
1
$

The following is a strace of /bin/bash, starting after I input echo |wc -l and hit return:

Code: Select all

rt_sigprocmask(SIG_BLOCK, [INT], [], 8) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig -icanon -echo ...}) = 0
ioctl(0, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGINT, {0x8085d60, [], SA_RESTORER, 0x4f098a18}, {0x80b58a0, [], SA_RESTORER, 0x4f098a18}, 8) = 0
rt_sigaction(SIGTERM, {SIG_IGN}, {SIG_IGN}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_IGN}, 8) = 0
rt_sigaction(SIGALRM, {0x8085cc0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM SYS], SA_RESTORER, 0x4f098a18}, {0x80b58a0, [], SA_RESTORER, 0x4f098a18}, 8) = 0
rt_sigaction(SIGTSTP, {SIG_IGN}, {SIG_IGN}, 8) = 0
rt_sigaction(SIGTTOU, {SIG_IGN}, {SIG_IGN}, 8) = 0
rt_sigaction(SIGTTIN, {SIG_IGN}, {SIG_IGN}, 8) = 0
rt_sigaction(SIGWINCH, {0x8077e30, [], SA_RESTORER, 0x4f098a18}, {0x80b5960, [], SA_RESTORER, 0x4f098a18}, 8) = 0
rt_sigaction(SIGINT, {0x8085d60, [], SA_RESTORER, 0x4f098a18}, {0x8085d60, [], SA_RESTORER, 0x4f098a18}, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
pipe([3, 4])                            = 0
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [CHLD], 8) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x4f1a5928) = 18086
setpgid(18086, 18086)                   = -1 ESRCH (No such process)
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
close(4)                                = 0
close(4)                                = -1 EBADF (Bad file descriptor)
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [CHLD], 8) = 0
clone(bash: child setpgid (18087 to 18086): Operation not permitted
1
child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x4f1a5928) = 18087
setpgid(18087, 18086)                   = -1 ESRCH (No such process)
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
close(3)                                = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [CHLD], 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD TSTP TTIN TTOU], [CHLD], 8) = 0
ioctl(255, TIOCSPGRP, [18086])          = -1 EPERM (Operation not permitted)
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [CHLD], 8) = 0
waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WUNTRACED) = 18086
waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WUNTRACED) = 18087
rt_sigprocmask(SIG_BLOCK, [CHLD TSTP TTIN TTOU], [CHLD], 8) = 0
ioctl(255, TIOCSPGRP, [18078])          = 0
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
ioctl(255, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(255, TIOCGWINSZ, {ws_row=59, ws_col=158, ws_xpixel=0, ws_ypixel=0}) = 0
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
close(3)                                = -1 EBADF (Bad file descriptor)
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
waitpid(-1, 0x5c4e94f8, WNOHANG|WUNTRACED) = -1 ECHILD (No child processes)
sigreturn()                             = ? (mask now [])
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigaction(SIGINT, {0x8085d60, [], SA_RESTORER, 0x4f098a18}, {0x8085d60, [], SA_RESTORER, 0x4f098a18}, 8) = 0
time(NULL)                              = 1162235819
rt_sigprocmask(SIG_BLOCK, [CHLD TSTP TTIN TTOU], [], 8) = 0
ioctl(255, TIOCSPGRP, [18078])          = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGINT, {0x8085d60, [], SA_RESTORER, 0x4f098a18}, {0x8085d60, [], SA_RESTORER, 0x4f098a18}, 8) = 0
rt_sigprocmask(SIG_BLOCK, [INT], [], 8) = 0
ioctl(0, TIOCGWINSZ, {ws_row=59, ws_col=158, ws_xpixel=0, ws_ypixel=0}) = 0
ioctl(0, TIOCSWINSZ, {ws_row=59, ws_col=158, ws_xpixel=0, ws_ypixel=0}) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig -icanon -echo ...}) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig -icanon -echo ...}) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGINT, {0x80b58a0, [], SA_RESTORER, 0x4f098a18}, {0x8085d60, [], SA_RESTORER, 0x4f098a18}, 8) = 0
rt_sigaction(SIGTERM, {0x80b58a0, [], SA_RESTORER, 0x4f098a18}, {SIG_IGN}, 8) = 0
rt_sigaction(SIGTERM, {SIG_IGN}, {0x80b58a0, [], SA_RESTORER, 0x4f098a18}, 8) = 0
rt_sigaction(SIGQUIT, {0x80b58a0, [], SA_RESTORER, 0x4f098a18}, {SIG_IGN}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_IGN}, {0x80b58a0, [], SA_RESTORER, 0x4f098a18}, 8) = 0
rt_sigaction(SIGALRM, {0x80b58a0, [], SA_RESTORER, 0x4f098a18}, {0x8085cc0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM SYS], SA_RESTORER, 0x4f098a18}, 8) = 0
rt_sigaction(SIGTSTP, {0x80b58a0, [], SA_RESTORER, 0x4f098a18}, {SIG_IGN}, 8) = 0
rt_sigaction(SIGTSTP, {SIG_IGN}, {0x80b58a0, [], SA_RESTORER, 0x4f098a18}, 8) = 0
rt_sigaction(SIGTTOU, {0x80b58a0, [], SA_RESTORER, 0x4f098a18}, {SIG_IGN}, 8) = 0
rt_sigaction(SIGTTOU, {SIG_IGN}, {0x80b58a0, [], SA_RESTORER, 0x4f098a18}, 8) = 0
rt_sigaction(SIGTTIN, {0x80b58a0, [], SA_RESTORER, 0x4f098a18}, {SIG_IGN}, 8) = 0
rt_sigaction(SIGTTIN, {SIG_IGN}, {0x80b58a0, [], SA_RESTORER, 0x4f098a18}, 8) = 0
rt_sigaction(SIGWINCH, {0x80b5960, [], SA_RESTORER, 0x4f098a18}, {0x8077e30, [], SA_RESTORER, 0x4f098a18}, 8) = 0

I could not reproduce the above mentioned fact, that the error sometimes does not raise, from an straced bash, unfortunately. Race conditions are fun.

I have a hard time believing that I'm the only one facing this problem. I'm not sure if posting my kernel configuration would help; possibly I should annotate that my kernel does not have sysctl support (not that it makes a difference for this particular matter, however, without manual interaction sysctl disables many grsec functions - chroot restrictions in particular - after a standard compile; just in case ;-).

This problem has been fixed in the latest patch in http://grsecurity.net/~spender/

-Brad

No more CONFIG_GRKERNSEC_CHROOT_FINDTASK strangenesses with grsecurity-2.1.10-2.6.19.1-200701021948 (CONFIG_GRKERNSEC_RANDPID was removed from grsec, apparently). Thanks a lot :-).