grsecurity forums

I have a clean install of coldfusion 8 and Atomic Secured Linux on CentOS 5.5. grsec is stopping the app from running. ASL hasn't been any help, so any recommendation would be very helpful.

kernel: grsec: denied untrusted exec of /opt/coldfusion8/runtime/bin/coldfusion8 by /usr/bin/nohup[nohup:2877] uid/euid:99/99 gid/egid:99/99, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

I've tested installations of CF using the standard 'nobody' user and with a user I created w/out login rights and get the same result. I've also booted with /proc/sys/kernel/grsecurity/tpe set to 0 as wells as /proc/sys/kernel/pax/softmode set to 1.

What's your /proc/sys/kernel/grsecurity/tpe_restrict_all set to?

-Brad

For testing purposes, I set tpe and tpe_restrict_all to 0 and pax/softmode to 1. With these settings grsec still stops coldfusion from starting.

I just looked at the code again. If you have /proc/sys/kernel/grsecurity/tpe set to 0, and based on the log messages you provided, you shouldn't be seeing the "denied untrusted exec" messages. Are you getting a different error message now? Also, what version is this kernel? Do you happen to know which upstream grsecurity patch was used to create it?

-Brad

[root@www ~]# cat /proc/sys/kernel/grsecurity/tpe
0
[root@www ~]# cat /proc/sys/kernel/grsecurity/tpe_restrict_all
0

[root@www ~]# yum list installed gradm
gradm.x86_64 2.2.0-6.el5.art installed

Kernel - 2.6.32.21-3.art.x86_64 This is provide my Atomicorp.com's repo

/var/log/messages has this error after reboot:
Oct 21 15:58:20 vendorsolutions kernel: grsec: denied untrusted exec of /opt/jrun4/bin/jrun by /bin/bash[sh:3145] uid/euid:500/500 gid/egid:500/500, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

BUT...I just successfully started it after logging in /etc/init.d/coldfusionmulti start

It must be something in the boot order.

I hate having tpe set to 0. Is there a granular way to figure out what grsec doesn't like about coldfusion besides just turning off tpe? That way I can at least have it running for everything else?

Your kernel must enable the options automatically and require them to be disabled at boot-time. Since you're getting the errors upon reboot, the script that turns off TPE is being ran too late in the boot process. The reason why TPE is denying these executions is because the users doing the executing aren't in the "trusted" group (specified by the tpe_gid sysctl) and /opt/jrun4/bin and /opt/coldfusion8/runtime/bin aren't owned by root.

Likely the easiest way to fix this without disabling TPE is to change the ownership of those two directories to root.

-Brad