Role flag "G" problem

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Role flag "G" problem

Postby Dwokfur » Sun Nov 23, 2008 5:45 am

Since I've upgraded to a kernel based on 2.6.27 (currently 2.6.27.5 using grsec-2.1.12-2.6.27.5-200811071900), some error messages are logged every time I authenticate myself as root.
Code: Select all
Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0

Role flag "G" is specified for root in order to make this user able to authenticate using gradm. Some directories - including boot - are hidden. No matter if I replace "h" to "hs" for role root, these messages still get logged. If I try to create a policy for gradm, grsec reports, that I've tried to modify an already existing instance - which is probably included because Role flag "G", but the exact contents are hidden.
This behavior appeared recently.

Did I miss something?
Any ideas on this are greatly appreciated.

Is it discouraged to authenticate using gradm while logged in as root?

Regards,
Dw.
Dwokfur
 
Posts: 99
Joined: Tue Jun 08, 2004 10:07 am

Re: Role flag "G" problem

Postby spender » Tue Nov 25, 2008 10:11 am

gradm creates a least privilege policy for itself. What I think may be happening here is you are authenticating while in your home directory (/root) and your libc for some reason is making gradm access the current working directory. You could confirm this by stracing as much as you can of gradm -a admin while being in the admin role. Did you do any libc upgrades at the same time as the kernel upgrade?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support

cron