grsecurity forums

Hi,

Firstly I wanted to congratulate you on a great piece of software. I've been running 1.9.4 on my FTP server since May with no problems whatsoever.

I'm currently setting up 1.9.7d on my WWW server, but there's something I don't understand:

I setup a least-privilege ACL for httpd as shown in the docs and started learning. But some of the file modes seem to be missing from the ACL. The docs indicate that this means no access should be granted to the file. I can see how it makes sense to have this for /, to create an inheritable default. But what about the others? Could you explain it to me?

/usr/sbin/httpd o {
829648 w # I assume this is an inode number (/var/run)
/var/www/html/vicorp.com/usage r
/var/www/html/vicorp.com/slides r
/var/www/html/vicorp.com/logos rx
/var/www/html/vicorp.com/img rx
/var/www/html/vicorp.com rx
/var/run/httpd.pid w
/var/run w
/var/log/httpd/ssl_scache.pag rw
/var/log/httpd/ssl_scache.dir rw
/var/log/httpd/ssl_request_log a
/var/log/httpd/ssl_mutex.3149 w
/var/log/httpd/ssl_mutex.22998 w
/var/log/httpd/ssl_engine_log a
/var/log/httpd/error_log a
/var/log/httpd/access_log a
/var/log/httpd rw
/usr/sbin/suexec # missing file mode
/usr/lib/php4/ldap.so rx
/usr/lib/perl5/site_perl/5.6.0 # missing file mode
/usr/lib/locale/en_GB.iso885915/LC_MESSAGES/SYS_LC_MESSAGES rx
/usr/lib/locale/en_GB.iso885915/LC_MESSAGES r
/usr/lib/locale/en_GB.iso885915 rx
/usr/lib rx
/usr/lib/apache/mod_vhost_al4/ldap.so # missing file mode
/usr/lib/apache rx
/proc/sys/kernel/version r
/lib rx
/lib/ld-2.2.5.so x
/lib/i686/libpthread-0.9.so rx
/lib/i686/libm-2.2.5.so rx
/lib/i686/libc-2.2.5.so rx
/etc/ld.so.cache rx
/etc/httpd/conf/ssl.key/server.key # missing file mode
/etc/httpd/conf/ssl.crt/server.crt # missing file mode
/etc/httpd/conf/srm.conf r
/etc/httpd/conf/httpd.conf r
/etc/httpd/conf/access.conf r
/etc/httpd # missing file mode
/etc r
/dev/null rw
/dev # missing file mode
/SYSV00000000 x
/usr/sbin/httpd x
/ # missing file mode
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
RES_FSIZE 2555531 2555531
RES_DATA 919312 919312
RES_STACK 17384 17384
RES_RSS 0 0
RES_NPROC 33 33
RES_NOFILE 25 20
RES_MEMLOCK 0 0
RES_AS 90624288 90624288
RES_LOCKS 3 3

connect {
disabled
}

bind {
0.0.0.0:80 stream tcp
0.0.0.0:443 stream tcp
}
}

Phil Skuse.

the number seems to be an error. probably two kernel logs came in at the same time and corrupted each other. As for objects without modes, all it means is that they are viewable, but you have no access to them other than stat and chdir.

-Brad

Thanks for the explanation. I have another question:

I want to hide /etc/shadow so that an intruder cannot read (and crack) the passwords. This is beacuse some users may use the same password on more than one machine.

So I put "/etc/shadow" in the root ACL and create

/bin/login {
/etc/shadow r
}

/usr/bin/passwd {
/etc/shadow rw
}

but that doesn't work, I get :
Nov 7 12:11:06 Tusker kernel: grsec: attempt to open /etc/shadow for reading by (login:9838) UID(0) EUID(0), parent (in.telnetd:13107) UID(0) EUID(0)
Nov 7 12:11:07 Tusker login(pam_unix)[9838]: check pass; user unknown
Nov 7 12:11:07 Tusker login(pam_unix)[9838]: authentication failure; logname= uid=0 euid=0 tty=pts/1 ruser= rhost=UKSparc01.vicorp.co.uk
Nov 7 12:11:10 Tusker login[9838]: FAILED LOGIN 1 FROM UKSparc01.vicorp.co.uk FOR skusep, Authentication failure

So I tried learning mode, but no entry for /etc/shadow appears in the ACL:

/bin/login o {
/var/spool/mail/skusep
/var/spool/mail
/var/run/utmp rw
/var/run/console/skusep rw
/var/run/console.lock w
/var/run/console
/var/run
/var/log/wtmp w
/var/log/lastlog rw
/usr/lib/libglib-1.2.so.0.0.10 rx
/usr/lib/libcrack.so.2.7 rx
/root
/proc/7718/fd/0
/proc/5569/fd/0
/proc/4359/fd/0
/proc/3975/fd/0
/proc/2862/fd/0
/proc/28361/fd/0
/proc/28004/fd/0
/proc/19589/fd/0
/proc/17671/fd/0
/proc/15046/fd/0
/proc/12283/fd/0
/proc
/lib/security rx
/lib rx
/lib/ld-2.2.5.so x
/lib/i686/libc-2.2.5.so rx
/home/skusep
/etc/security/pam_env.conf r
/etc/security/limits.conf r
/etc/security/console.perms r
/etc/pam.d/system-auth r
/etc/pam.d/other r
/etc/pam.d/login r
/etc/pam.d
/etc/ld.so.cache rx
/etc r
/dev/winradio
/dev/video/em8300_sp w
/dev/video/em8300_mv w
/dev/video/em8300_ma w
/dev/video/em8300 w
/dev/video r
/dev/vbi
/dev/usb/rio500 w
/dev/tty2 rw
/dev/tty1 rw
/dev/radio
/dev/pts/1 rw
/dev/pts/0 rw
/dev/log
/dev w
/bin/bash x
/bin/login x
/ h
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_FOWNER
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_TTY_CONFIG
RES_FSIZE 190544 190544
RES_DATA 414660 414660
RES_STACK 156648 156648
RES_RSS 0 0
RES_NPROC 25 25
RES_NOFILE 8 8
RES_MEMLOCK 0 0
RES_AS 4907296 4907296
RES_LOCKS 0 0

connect {
162.13.49.4:53 dgram udp
}

bind {
disabled
}

}

The generated ACL doesn't work, I still can't login.

So how can I hide /etc/shadow and still be able to login?

Phil Skuse.

there's no entry for /etc/shadow because it is contained in /etc, which has the mode "r". This was the result of an ACL reduction. The reason why your inherited ACLs didn't work was because you need to specify "o" in the mode if you want it to override an object of the same name in the parent. So it would look like:

/bin/login {
/etc/shadow ro
}

/usr/bin/passwd {
/etc/shadow rwo
}

i think you'll still find problems with your passwd acl though, as passwd needs to create files in /etc, so you have to give it write access to /etc.

/usr/bin/passwd {
/etc rwo
}

-Brad

OK that works. Now I finally understand that "o" thing.
Thanks