grsecurity forums


https://forums.grsecurity.net./

grsec ACL problems

https://forums.grsecurity.net./viewtopic.php?f=3&t=262

Page 1 of 1

grsec ACL problems

PostPosted: Thu Jan 09, 2003 3:33 pm
by ether
Hello!
I am having some issues with grsec and MySQL.

Here is what happens when I try to create a database:
# mysqladmin -p create tester
Enter password:
mysqladmin: CREATE DATABASE failed; error: 'Can't create database 'tester'. (errno: 13)'

The console log reports:
grsec: attempt to mkdir ./tester by (mysqld:11655) UID(27) EUID(27). parent (mysqld:8161) UID(27) EUID(27)

I have tried several different ACL configurations. Here is the one I am currently testing with:

/usr/local/mysql/bin/mysqld {
/ r
/usr rwx
/usr/local/mysql rwx
}
/usr/local/mysql/bin/mysqladmin {
/ r
/usr rwx
/usr/local/mysql rwx
}

I've tried learning mode with no success. Any help would be greatly appreciated!

Thanks
-Michael

PostPosted: Fri Jan 10, 2003 9:15 am
by spender
what problems were you having with the learning mode?

-Brad

PostPosted: Fri Jan 10, 2003 3:36 pm
by ether
Even when grsec was in learning mode for the various MySQL binaries, I would still receive the same errors as described in my first post:

mysqladmin: CREATE DATABASE failed; error: 'Can't create database 'tester'. (errno: 13)'

PostPosted: Fri Jan 10, 2003 4:17 pm
by spender
could you paste what your ACLs look like with learning mode enabled? Could you also paste some of the learning mode logs? Where are your mysql dbs stored?

-Brad

re:

PostPosted: Fri Jan 10, 2003 6:54 pm
by ether
The databases are located in /usr/local/mysql/var/

Here are the ACLs (Same ACLs apply for mysql and mysqladmin):

/usr/local/mysql/bin/mysqld lo {
/ h
-CAP_ALL
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0
connect {
disabled
}
bind {
disabled
}
}

Here are the LEARN logs from /var/log/messages:

Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669660:/lib/ld-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669660:/lib/ld-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669660:/lib/ld-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1540250:/usr/local/mysql/lib/mysql/libmysqlclient.so.10.0.0:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1540250:/usr/local/mysql/lib/mysql/libmysqlclient.so.10.0.0:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1540250:/usr/local/mysql/lib/mysql/libmysqlclient.so.10.0.0:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1540250:/usr/local/mysql/lib/mysql/libmysqlclient.so.10.0.0:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:8
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:622413:/usr/lib/libz.so.1.1.4:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:622413:/usr/lib/libz.so.1.1.4:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:622413:/usr/lib/libz.so.1.1.4:1Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:622413:/usr/lib/libz.so.1.1.4:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669664:/lib/libcrypt-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669664:/lib/libcrypt-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669664:/lib/libcrypt-2.2.5.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669664:/lib/libcrypt-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669671:/lib/libnsl-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669671:/lib/libnsl-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669671:/lib/libnsl-2.2.5.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669671:/lib/libnsl-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669669:/lib/libm-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669669:/lib/libm-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669669:/lib/libm-2.2.5.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669669:/lib/libm-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669663:/lib/libc-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669663:/lib/libc-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669663:/lib/libc-2.2.5.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669663:/lib/libc-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080312:/etc/nsswitch.conf:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080312:/etc/nsswitch.conf:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1081251:/etc/ld.so.cache:8
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669673:/lib/libnss_db-2.2.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669673:/lib/libnss_db-2.2.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669673:/lib/libnss_db-2.2.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669673:/lib/libnss_db-2.2.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669675:/lib/libnss_files-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669675:/lib/libnss_files-2.2.5.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669675:/lib/libnss_files-2.2.5.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669675:/lib/libnss_files-2.2.5.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669665:/lib/libdb-3.1.so:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669665:/lib/libdb-3.1.so:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1669665:/lib/libdb-3.1.so:8
Jan 10 17:54:30 ethericmist last message repeated 2 times
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080315:/etc/services:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080315:/etc/services:1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:25576:25576::3
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080326:/etc/my.cnf:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:1080326:/etc/my.cnf:1
Jan 10 17:54:30 ethericmist kernel: grsec: From 192.168.0.6: LEARN:2052:427217:0:0::1
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:392833:/dev:16
Jan 10 17:54:30 ethericmist kernel: grsec: LEARN:2052:427217:2052:393060:/dev/tty:5
Jan 10 17:54:31 ethericmist kernel: grsec: LEARN:2052:427217:2052:949682:/tmp/mysql.sock:16
Jan 10 17:54:31 ethericmist kernel: grsec: LEARN:2052:427217:2052:949682:/tmp/mysql.sock:5
Jan 10 17:54:31 ethericmist kernel: grsec: LEARN:2052:427217:2052:2194964:/usr/local/mysql/share/mysql/charsets/Index:16
Jan 10 17:54:31 ethericmist kernel: grsec: LEARN:2052:427217:2052:2194964:/usr/local/mysql/share/mysql/charsets/Index:1


Thanks!
-Michael

PostPosted: Sat Jan 11, 2003 9:14 am
by spender
it doesn't look like you're using 1.9.8. Try using 1.9.8 with gradm 1.6.

-Brad

PostPosted: Sat Jan 11, 2003 4:11 pm
by ether
I'm using grsec 1.9.8 (kernel 2.4.20) and gradm 1.6. Perhaps I should try the rc development patch?

PostPosted: Sat Jan 11, 2003 4:12 pm
by ether
By the way, I have grsec compiled into the kernel under 'HIGH" security. I'm not sure if this makes a difference but thought it would be worth noting.

PostPosted: Sat Jan 11, 2003 5:21 pm
by spender
you can't be using 1.9.8 stable, because you wouldn't have

Jan 10 17:54:30 ethericmist kernel: grsec: From 192.168.0.6: LEARN:2052:427217:0:0::1

in your logs. This was fixed some time before the final release of 1.9.8. Check your kernel to make sure. You may want to take a clean kernel and repatch it with the 1.9.8 stable release. You don't have anything else patched in as well do you?

-Brad

PostPosted: Sat Jan 11, 2003 10:17 pm
by ether
The only other patches in the kernel are the netfilter patch-o-matic patches. I wouldn't think these would interfere with grsec. Does this make a difference?

PostPosted: Sun Jan 12, 2003 5:47 pm
by ether
I redownloaded the grsec-1.9.8 stable patch and patched a fresh kernel source. The only other patches I applied are the new (01-07-2003) netfilter patch-o-matic patches. I rebooted to the new kernel and tested things out again. I am still having the same problems as I listed earlier.

PostPosted: Mon Jan 13, 2003 1:03 am
by spender
could you paste the learning logs generated with this kernel?

-Brad
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/