Page 1 of 1

failed to map segment from shared object

PostPosted: Mon Sep 30, 2002 10:33 am
by saturne
:D HI :D

when I launches gradm (gradm - E), users who are chroot (/home/user/./) cannot connect in ssh. I have an error "- bash: error while loading shared libraries: libncurses.so.5: failed to map segment from shared object: Permission denied "

as I don’t arrive, I made in the file acl a very "open" configuration :

#sample default process acl for grsecurity

/ {
/ r
/opt rx
/home rwx
/mnt rw
/dev rw
/dev/mem h
/dev/kmem h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/proc rwx
/proc/sys r
/root r
/tmp rw
/var rwx
/var/tmp rw
/var/log ra
/boot r
/etc/grsec h

-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_MKNOD
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
}


/bin/login {
/ rwo
/etc rwo
/bin rwo
/var rwo
/proc rwo

}


/usr/local/sbin/sshd {
/ row
/etc ro
/var rwo
}

/bin/su {
/ ro
/etc ro
}

/bin/bash {
/ row
/proc rwo
}





This is just for see :wink:


So, for users libraries, I’ll try cp –Rl (hard link) :D , and cp –R (real files) :-? ….. just for see…


When I kill gradm (gradm –D) I’ve no problem. So my configuration about chroot, openssh is ok.

I’ll try “low level” in kernel option, but it’s the same. I think, the problem comes acl file, but even with all the examples which I could find on the forum or the mailing-list, I don’t see….. why "failed to map segment from shared object.." ?

PostPosted: Mon Sep 30, 2002 3:08 pm
by spender
check your logs. If grsecurity caused it, there would be some message as to why.

-Brad

PostPosted: Mon Sep 30, 2002 4:08 pm
by saturne
ok, i see them:

-In kern.log:

Sep 30 23:50:53 venus kernel: grsec: Loaded grsecurity 1.9.7
Sep 30 23:50:57 venus kernel: grsec: chdir("/") by (sshd:17415) UID(6002) EUID(6002), parent (sshd:18758) UID(6002) EUID(6002)
Sep 30 23:50:57 venus kernel: grsec: exec of /bin/bash within chroot jail [03:06:31793] by process (sshd:17415) UID(6002) EUID(6002), parent (sshd:18758) UID(6002) EUID(6002)
Sep 30 23:50:57 venus kernel: grsec: attempt to load writable library [03:06:129574] by (bash:17415) UID(6002) EUID(6002), parent (sshd:18758) UID(6002) EUID(6002)
Sep 30 23:51:01 venus kernel: grsec: shutdown auth success for (gradm:21407) UID(0) EUID(0), parent (bash:3823) UID(0) EUID(0)


-In messages:

Sep 30 23:50:57 venus kernel: grsec: chdir("/") by (sshd:17415) UID(6002) EUID(6002), parent (sshd:18758) UID(6002) EUID(6002)
Sep 30 23:50:57 venus kernel: grsec: exec of /bin/bash within chroot jail [03:06:31793] by process (sshd:17415) UID(6002) EUID(6002), parent (sshd:18758) UID(6002) EUID(6002)

In kernel, at this time, option "enforce chdir" is disabled

in this logs, he said "attempt to load writable library ", but the file acl is good no?

PostPosted: Mon Sep 30, 2002 9:29 pm
by saturne
i'll patch openssh for chroot (when there is /./ in passwd, user is in chroot cage). I think with acl, secure is the best, so is that necessary using the chroot'openssh, or only acl? I think it's another security