grsecurity forums

machine hangs with 2.6.23.14 when trying to attach to sshd (it's subject flags are "dpo"). i would expect to get a not permitted error, as the root role has "uGT" flags and thus should not be able to ptrace random processes?

Code: Select all

root      3821  0.0  0.0 37276 1784 ?        Ss   16:28   0:00 sshd: root [priv]
sshd      3822  0.0  0.0 20708 1392 ?        S    16:28   0:00 sshd: root [net]
root      3824  0.0  0.0  9836  932 pts/0    R+   16:28   0:00 ps aux
test:~# gdb -p 3822
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-linux".
Attaching to process 3822
ptrace: Operation not permitted.
/root/3822: No such file or directory.
(gdb)
test:~# gdb -p 3821
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-linux".
Attaching to process 3821


at this point the machine stops responding and i have to reboot it. the condition is reproducible.

I am able to reproduce this as well in kernel 2.6.24.3 patched with grsecurity. Not sure if it matters in this case, but I don't have any PAX enabled.

* enabled RBAC
* ran ps to find pid of sshd
* ran strace on the pid of sshd

Shell became unresponsive, couldn't create another ssh session, and the xen virtual terminal was unresponsive as well.

I reproduced this with gdb, and also again after a reboot with strace. From /var/log/messages

Code: Select all

Mar 12 14:37:24 localhost kernel: grsec: From 10.x.x.x: (default:D:/sbin/gradm) grsecurity 2.1.11 RBAC system loaded by /sbin/gradm[gradm:1890] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:1603] uid/euid:0/0 gid/egid:0/0
Mar 12 14:37:26 localhost kernel: grsec: From 10.x.x.x: (default:D:/) exec of /bin/ps (ps aux ) by /bin/bash[bash:1891] uid/euid:0/0 gid/egid:0/0, parent /bi
n/bash[bash:1603] uid/euid:0/0 gid/egid:0/0
Mar 12 14:37:36 localhost kernel: grsec: From 10.x.x.x: (default:D:/) exec of /usr/bin/strace (strace -fp 1542 ) by /bin/bash[bash:1892] uid/euid:0/0 gid/egi
d:0/0, parent /bin/bash[bash:1603] uid/euid:0/0 gid/egid:0/0
Mar 12 14:38:37 localhost syslogd 1.4.1: restart.


The last line in this log is when I rebooted manually.

I am pretty sure that there is a problem with having 'd' in the subject flag for sshd. I have had several boxes on which sshd would not work for a long time now with that flag, and recently upgraded another box to glibc 2.6 from 2.3 and that machine now also exhibits the problem. The only thing that shows in the logs is:

Code: Select all

fatal: openpty returns device for which ttyname fails
error: chown  0 0 failed: No such file or directory
error: chmod  0666 failed: No such file or directory


Other issues that have arisen with the new glibc (I think) are these messages:

Code: Select all

grsec: From x.x.x.x: (root:U:/usr/sbin/sshd) use of CAP_NET_ADMIN denied for /usr/sbin/sshd[sshd:3536] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:26567] uid/euid:0/0 gid/egid:0/0
grsec: From x.x.x.x: (root:U:/usr/sbin/sshd) denied connect() to 0.0.0.0 port 22 sock type dgram protocol udp by /usr/sbin/sshd[sshd:3536] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:26567] uid/euid:0/0 gid/egid:0/0


I'm looking into this problem now. I'll update you with what I find.

update: The problem (a recursive lock between a call to capable() within ptrace_attach) has been fixed and the 2.6 patch has been updated. Thanks for reporting this issue.

-Brad

Spender, looks like you didn't get the fix for the wrong CONFIG_PAX_NOEXEC and so on flags into grsecurity.h in the latest patch.

zakalwe wrote:I am pretty sure that there is a problem with having 'd' in the subject flag for sshd. I have had several boxes on which sshd would not work for a long time now with that flag, and recently upgraded another box to glibc 2.6 from 2.3 and that machine now also exhibits the problem. The only thing that shows in the logs is:

Code: Select all

fatal: openpty returns device for which ttyname fails
error: chown  0 0 failed: No such file or directory
error: chmod  0666 failed: No such file or directory

Can't login and got same errors with 'h' in the subject flag for sshd