grsecurity forums

I'm running debian "etch" with kernel 2.6.25.10-1-grsec (package from kernelsec.cr0.org)
On this system a group "grsec_proc" with GID 112 exists. The user "snmp" is of course
added to this group. My snmpd runs with "... -u snmp ...". But unfortunately it has still
no access to the /proc tree. I'm getting syslog messages like

snmpd[4363]: cannot open /proc/net/snmp ...
snmpd[4363]: cannot open /proc/net/dev ...
snmpd[4363]: cannot open /proc/net/snmp ...

What am I doing wrong?

Thanks,
Lars

CONFIG_GRKERNSEC_PROC_USER:

If you say Y here, non-root users will only be able to view their own processes, and restricts them from viewing network-related information, and viewing kernel symbol and module information.

This sets permissions on /proc/net to:

dr-x------ 5 root root 0 2008-10-07 19:25 /proc/net/

Running "chmod 755 /proc/net" worked for me. You just have to be sure to put it somewhere so it's ran on every boot.

cormander wrote:Running "chmod 755 /proc/net" worked for me. You just have to be sure to put it somewhere so it's ran on every boot.

Another workaround is to change snmpd group, using ''-g'' flag. Under Debian it can be changed under /etc/default/snmpd:

Change

Code: Select all

SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'

To:

Code: Select all

SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g yourgrsecgroup -I -smux -p /var/run/snmpd.pid 127.0.0.1'

I don't know if it's better or not, but chmod-ing all my /proc/net bothers me a little.

I've received emails about similar problems with snmpd, even when run with the -g flag. Though the source seems correct, it may be the case that some distributions are shipping snmpd binaries where it's not properly setting the group (we've verified through /proc that the process still has 0 for its GID and no supplementary groups set). If you notice this as well, report it to your distribution.

-Brad

Under Debian having the snmp user in grsec group is not enough, and using the -g flag is necessary. I did not have the opportunity to check on other distributions.

With the -g flag set to the proper group, I have:

Code: Select all

Gid:    112     112     112     112
Groups: 112


And unset:

Code: Select all

Gid:    0       0       0       0
Groups: 0


We should have at least 112 in Groups, shouldn't we?

My /etc/group:

Code: Select all

grsec:x:112:myuser,snmp


Sorry for the late answer...
Permissions on /proc/net/* are properly set and as spender mentioned above
running »snmpd« with '-g 112' doesn't work either:

Code: Select all

,-----[cat /proc/<PID_OF_SNMPD>/status |grep '^[GU]id']
| Uid:    105     105     105     105
| Gid:    0       0       0       0
`-----


It really seems to be a problem with »snmpd« itself or Debians distributed
version of it.

Lars

I've made this little patch for the latest Debian Lenny snmpd version:

Code: Select all

--- snmpd-orig/agent/snmpd.c        2007-07-19 23:01:43.000000000 +0200
+++ snmpd-patch/agent/snmpd.c       2008-11-17 15:02:04.000000000 +0100
@@ -960,7 +960,7 @@
         DEBUGMSGTL(("snmpd/main", "Changing gid to %d.\n", gid));
         if (setgid(gid) == -1
 #ifdef HAVE_SETGROUPS
-            || setgroups(1, (gid_t *)&gid) == -1
+            || initgroups(getpwuid(uid)->pw_name, gid) == -1
 #endif
             ) {
             snmp_log_perror("setgid failed");
@@ -970,6 +970,14 @@
             }
         }
     }
+    else if(initgroups(getpwuid(uid)->pw_name, getpwuid(uid)->pw_gid) == -1)
+    {
+      snmp_log_perror("initgroups failed");
+      if (!netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID,
+    NETSNMP_DS_AGENT_NO_ROOT_ACCESS)) {
+          exit(1);
+      }
+    }
 #endif
 #ifdef HAVE_SETUID
     if ((uid = netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,


It's a quick&dirty patch, but it works.

Hi! I'm using Debian lenny with 2.6.32.26 with grsecurity patch. I've applied this patch for snmpd and I still don't have access to /proc/net/dev. Here is my grsecurity config for /proc restrictions:

Code: Select all

CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=1001
CONFIG_GRKERNSEC_PROC_ADD=y


A snmp user is in group 1001 and I'm running snmpd with -g 1001 option. Did somebody solve this problem?

If I'm correct, you're not supposed to enable both CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP in your configuration. I think that's the source of your problem (see viewtopic.php?p=6118#p6118).

By the way, my patch is not needed if you run snmpd with -g option.