chroot+grsec newbie question
Posted: Thu Oct 11, 2007 6:16 amI installed Debian etch, patched(grsec),compiled,installed 2.6.22.9 kernel with the following settings :
orion:/usr/src/linux# cat .config | grep CONFIG_GRKERNSEC_
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_IO is not set
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODSTOP=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=112
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
# CONFIG_GRKERNSEC_CHROOT_CHDIR is not set
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
CONFIG_GRKERNSEC_EXECVE=y
# CONFIG_GRKERNSEC_SHM is not set
# CONFIG_GRKERNSEC_DMESG is not set
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
# CONFIG_GRKERNSEC_SOCKET is not set
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
orion:/usr/src/linux# uname -a
Linux orion 2.6.22.9-grsec #3 SMP Mon Oct 8 14:19:33 CEST 2007 i686 GNU/Linux
Compiled, installed apache 2.2.6+php 5.2.4+openssl 0.9.8e+oracle instant client 10.2.0.3 in a chrooted environment. It is working! Tried to teach witch gradm(latest) -F -L teaching.log. Did not help!
Now I have :
orion:/var/log# cat /etc/grsec/acl
role admin sA
subject / rvka
/ rwcdmlxi
role default
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}
role root uG
role_transitions admin
role_allow_ip 0.0.0.0/32
role_allow_ip 10.131.115.2/32
subject / {
/ h
/dev h
/dev/initctl
/etc h
/etc/cron.d
/etc/crontab
/sbin h
/sbin/gradm x
/var h
/var/spool/cron/crontabs
-CAP_ALL
bind disabled
connect disabled
}
subject /sbin/dhclient3 o {
/ h
-CAP_ALL
bind disabled
connect 10.131.112.4/32:67 dgram udp
}
subject /usr/sbin/ntpd o {
/ h
-CAP_ALL
bind disabled
connect 10.131.0.4/32:123 dgram udp
}
role daemon u
role_allow_ip 10.131.115.2/32
subject / {
/ h
-CAP_ALL
bind disabled
connect disabled
}
subject /jail/httpd/usr/local/apache2/bin/httpd o {
/ h
/jail/httpd rxw
-CAP_ALL
bind 0.0.0.0/32:0 dgram ip
bind 127.0.0.1/32:0 dgram udp
connect 10.131.112.4/32:53 dgram udp
connect 10.131.1.15/32:1521 stream tcp
}
When I turn on grsecurity with gradm it just produce the following errors :
Oct 11 12:14:36 orion kernel: [ 4827.130479] grsec: (default:D:/) denied open of /jail/httpd/usr/local/apache2/logs/php_error.log for appending by /jail/httpd/usr/local/apache2/bin/httpd[httpd:5201] uid/euid:1/1 gid/egid:0/0, parent /jail/httpd/usr/local/apache2/bin/httpd[httpd:5196] uid/euid:0/0 gid/egid:0/0
Oct 11 12:14:36 orion kernel: [ 4827.140998] grsec: (default:D:/) denied executable mmap of /jail/httpd/lib/tls/i686/cmov/libnss_dns.so.2 by /jail/httpd/usr/local/apache2/bin/httpd[httpd:5201] uid/euid:1/1 gid/egid:0/0, parent /jail/httpd/usr/local/apache2/bin/httpd[httpd:5196] uid/euid:0/0 gid/egid:0/0
Oct 11 12:14:36 orion kernel: [ 4827.150670] grsec: (default:D:/) denied open of /jail/httpd/usr/local/apache2/logs/php_error.log for appending by /jail/httpd/usr/local/apache2/bin/httpd[httpd:5201] uid/euid:1/1 gid/egid:0/0, parent /jail/httpd/usr/local/apache2/bin/httpd[httpd:5196] uid/euid:0/0 gid/egid:0/0
Oct 11 12:14:36 orion kernel: [ 4827.150761] grsec: (default:D:/) denied open of /jail/httpd/usr/local/apache2/logs/php_error.log for appending by /jail/httpd/usr/local/apache2/bin/httpd[httpd:5201] uid/euid:1/1 gid/egid:0/0, parent /jail/httpd/usr/local/apache2/bin/httpd[httpd:5196] uid/euid:0/0 gid/egid:0/0
I think the problem is in connection with that FS rights ...
orion:/jail/httpd/usr/local/apache2/logs# ls -la
total 84
drwxrwxrwt 2 root root 120 2007-10-11 12:14 .
drwxrwxrwt 13 root root 153 2007-10-10 08:54 ..
-rw-r--r-- 1 root root 3660 2007-10-11 12:17 access_log
-rw-r--r-- 1 root root 310 2007-10-11 12:14 apache_error_log
-rw-r--r-- 1 root root 13197 2007-10-11 12:14 error_log
-rw-r--r-- 1 root root 5 2007-10-11 12:14 httpd.pid
-rw-r--r-- 1 daemon daemon 1764 2007-10-11 12:16 php_error.log
-rw-r--r-- 1 root root 3936 2007-10-11 12:17 ssl_request_log
orion:/jail/httpd/usr/local/apache2/logs# ps -ef | grep http
root 4226 1 0 10:55 ? 00:00:00 /sbin/syslogd -a /jail/httpd/dev/log
root 5196 1 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5197 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5198 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5199 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5200 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5201 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5202 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5240 5196 0 12:17 ? 00:00:00 /usr/local/apache2/bin/httpd
Would someone be so kind as to help me!
orion:/usr/src/linux# cat .config | grep CONFIG_GRKERNSEC_
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_IO is not set
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODSTOP=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=112
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
# CONFIG_GRKERNSEC_CHROOT_CHDIR is not set
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
CONFIG_GRKERNSEC_EXECVE=y
# CONFIG_GRKERNSEC_SHM is not set
# CONFIG_GRKERNSEC_DMESG is not set
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
# CONFIG_GRKERNSEC_SOCKET is not set
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
orion:/usr/src/linux# uname -a
Linux orion 2.6.22.9-grsec #3 SMP Mon Oct 8 14:19:33 CEST 2007 i686 GNU/Linux
Compiled, installed apache 2.2.6+php 5.2.4+openssl 0.9.8e+oracle instant client 10.2.0.3 in a chrooted environment. It is working! Tried to teach witch gradm(latest) -F -L teaching.log. Did not help!
Now I have :
orion:/var/log# cat /etc/grsec/acl
role admin sA
subject / rvka
/ rwcdmlxi
role default
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}
role root uG
role_transitions admin
role_allow_ip 0.0.0.0/32
role_allow_ip 10.131.115.2/32
subject / {
/ h
/dev h
/dev/initctl
/etc h
/etc/cron.d
/etc/crontab
/sbin h
/sbin/gradm x
/var h
/var/spool/cron/crontabs
-CAP_ALL
bind disabled
connect disabled
}
subject /sbin/dhclient3 o {
/ h
-CAP_ALL
bind disabled
connect 10.131.112.4/32:67 dgram udp
}
subject /usr/sbin/ntpd o {
/ h
-CAP_ALL
bind disabled
connect 10.131.0.4/32:123 dgram udp
}
role daemon u
role_allow_ip 10.131.115.2/32
subject / {
/ h
-CAP_ALL
bind disabled
connect disabled
}
subject /jail/httpd/usr/local/apache2/bin/httpd o {
/ h
/jail/httpd rxw
-CAP_ALL
bind 0.0.0.0/32:0 dgram ip
bind 127.0.0.1/32:0 dgram udp
connect 10.131.112.4/32:53 dgram udp
connect 10.131.1.15/32:1521 stream tcp
}
When I turn on grsecurity with gradm it just produce the following errors :
Oct 11 12:14:36 orion kernel: [ 4827.130479] grsec: (default:D:/) denied open of /jail/httpd/usr/local/apache2/logs/php_error.log for appending by /jail/httpd/usr/local/apache2/bin/httpd[httpd:5201] uid/euid:1/1 gid/egid:0/0, parent /jail/httpd/usr/local/apache2/bin/httpd[httpd:5196] uid/euid:0/0 gid/egid:0/0
Oct 11 12:14:36 orion kernel: [ 4827.140998] grsec: (default:D:/) denied executable mmap of /jail/httpd/lib/tls/i686/cmov/libnss_dns.so.2 by /jail/httpd/usr/local/apache2/bin/httpd[httpd:5201] uid/euid:1/1 gid/egid:0/0, parent /jail/httpd/usr/local/apache2/bin/httpd[httpd:5196] uid/euid:0/0 gid/egid:0/0
Oct 11 12:14:36 orion kernel: [ 4827.150670] grsec: (default:D:/) denied open of /jail/httpd/usr/local/apache2/logs/php_error.log for appending by /jail/httpd/usr/local/apache2/bin/httpd[httpd:5201] uid/euid:1/1 gid/egid:0/0, parent /jail/httpd/usr/local/apache2/bin/httpd[httpd:5196] uid/euid:0/0 gid/egid:0/0
Oct 11 12:14:36 orion kernel: [ 4827.150761] grsec: (default:D:/) denied open of /jail/httpd/usr/local/apache2/logs/php_error.log for appending by /jail/httpd/usr/local/apache2/bin/httpd[httpd:5201] uid/euid:1/1 gid/egid:0/0, parent /jail/httpd/usr/local/apache2/bin/httpd[httpd:5196] uid/euid:0/0 gid/egid:0/0
I think the problem is in connection with that FS rights ...
orion:/jail/httpd/usr/local/apache2/logs# ls -la
total 84
drwxrwxrwt 2 root root 120 2007-10-11 12:14 .
drwxrwxrwt 13 root root 153 2007-10-10 08:54 ..
-rw-r--r-- 1 root root 3660 2007-10-11 12:17 access_log
-rw-r--r-- 1 root root 310 2007-10-11 12:14 apache_error_log
-rw-r--r-- 1 root root 13197 2007-10-11 12:14 error_log
-rw-r--r-- 1 root root 5 2007-10-11 12:14 httpd.pid
-rw-r--r-- 1 daemon daemon 1764 2007-10-11 12:16 php_error.log
-rw-r--r-- 1 root root 3936 2007-10-11 12:17 ssl_request_log
orion:/jail/httpd/usr/local/apache2/logs# ps -ef | grep http
root 4226 1 0 10:55 ? 00:00:00 /sbin/syslogd -a /jail/httpd/dev/log
root 5196 1 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5197 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5198 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5199 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5200 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5201 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5202 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5240 5196 0 12:17 ? 00:00:00 /usr/local/apache2/bin/httpd
Would someone be so kind as to help me!
