writable libraries and compilation problems
Posted: Wed Oct 30, 2002 5:40 pm
Hi,
I've got a new problem now
The problem is that users/root can't compile any programs that link / use some
own libraries. I.e. if a user wants to compile some program in his home
directory, which does some linking with its own libraries it will fail because grsec denies it:
kernel: grsec: attempt to load writable library [03:01:531413] by (conftest:18963) UID(1002) EUID(1002), parent (configure:31212) UID(1002) EUID(1002)
kernel: grsec: attempt to load writable library [03:01:581604] by (ld-linux.so.2:24744) UID(1002) EUID(1002), parent (ldd:3948) UID(1002) EUID(1002)
etc. 531313, 581604 are both in user's home directory and came with the source code or
were created by it.. It tried to link them, but grsec denied it because /home is (of course)
writable.
So is there a way to disable this? I couldn't find a kernel option at least..
I don't think this kind of checks are really necessary anyways..
/lib, /usr/lib etc should always be read-only anyways..
So there shouldn't be a problem when it's about system libraries?
Or maybe this should be changed so that it only applies to libs which are not
read-only and are owned by root or something?
Thanks
- Tuomas Silen
I've got a new problem now
The problem is that users/root can't compile any programs that link / use some
own libraries. I.e. if a user wants to compile some program in his home
directory, which does some linking with its own libraries it will fail because grsec denies it:
kernel: grsec: attempt to load writable library [03:01:531413] by (conftest:18963) UID(1002) EUID(1002), parent (configure:31212) UID(1002) EUID(1002)
kernel: grsec: attempt to load writable library [03:01:581604] by (ld-linux.so.2:24744) UID(1002) EUID(1002), parent (ldd:3948) UID(1002) EUID(1002)
etc. 531313, 581604 are both in user's home directory and came with the source code or
were created by it.. It tried to link them, but grsec denied it because /home is (of course)
writable.
So is there a way to disable this? I couldn't find a kernel option at least..
I don't think this kind of checks are really necessary anyways..
/lib, /usr/lib etc should always be read-only anyways..
So there shouldn't be a problem when it's about system libraries?
Or maybe this should be changed so that it only applies to libs which are not
read-only and are owned by root or something?
Thanks
- Tuomas Silen