/proc/$PID/maps accesses ?
Posted: Mon Sep 26, 2011 9:58 amI'm often getting denied errors like:
I also sometimes (but much rarer) see:
It happens on several users and on various commands, but not all the time. I have disabled most of the access on /proc on that group, and all /proc/$PID accesses.
Is that a sign of break-in attempts, or are those users just triggering some rarely used features? I though it was break-in, but looking at most of their directories couldn't find anything to imply that (except on one user which indeed had been php-broken), and then I found:
It is standard Debian Stable (apart from grsec kernel). Why should selinux (which is not used/enabled on the system, BTW) be opening /proc/filesystems, and even more why should libc be opening /proc/self/maps for programs like mv(1) and such? And how should that be handled in grsec policy? I could just deny them as I do currently (is there any downside? I could suppress messages if they are unimportant of course). Or do they serve some purpose? I'm not very comfortable with generally enabling access to /proc/$pid/maps to potentially hostile users unless there is a reason to do it.
(grsec there is currently 2.6.32.45-grsec20110828)
- Code: Select all
grsec: (users:G:/usr/bin/php5-cgi) denied open of /proc/22684/mounts for reading by /usr/bin/php5-cgi[php-cgi:22684] uid/euid:1356/1356 gid/egid:100/100, parent /usr/sbin/apache2[apache2:21604] uid/euid:33/33 gid/egid:33/33
grsec: (users:G:/usr/bin/php5-cgi) denied open of /proc/22684/mounts for reading by /usr/bin/php5-cgi[php-cgi:22684] uid/euid:1356/1356 gid/egid:100/100, parent /usr/sbin/apache2[apache2:21604] uid/euid:33/33 gid/egid:33/33
grsec: From 31.7.62.152: (users:G:/usr/bin/php5-cgi) denied open of /proc/23088/mounts for reading by /usr/bin/php5-cgi[php-cgi:23088] uid/euid:1356/1356 gid/egid:100/100, parent /usr/sbin/apache2[apache2:22995] uid/euid:33/33 gid/egid:33/33
grsec: From 31.7.62.152: (users:G:/usr/bin/php5-cgi) denied open of /proc/23088/mounts for reading by /usr/bin/php5-cgi[php-cgi:23088] uid/euid:1356/1356 gid/egid:100/100, parent /usr/sbin/apache2[apache2:22995] uid/euid:33/33 gid/egid:33/33
I also sometimes (but much rarer) see:
- Code: Select all
(users:G:/) denied open of /proc/filesystems for reading by /usr/bin/id[id:xxxx] uid/euid:1346/1346 gid/egid:100/100
(users:G:/) denied open of /proc/filesystems for reading by /usr/bin/id[id:xxxx] uid/euid:1321/1321 gid/egid:100/100,
It happens on several users and on various commands, but not all the time. I have disabled most of the access on /proc on that group, and all /proc/$PID accesses.
Is that a sign of break-in attempts, or are those users just triggering some rarely used features? I though it was break-in, but looking at most of their directories couldn't find anything to imply that (except on one user which indeed had been php-broken), and then I found:
- Code: Select all
% strings /lib/libc.so.6 | grep /maps
/proc/self/maps
% strings /lib/libselinux.so.1 | grep /filesystems
/proc/filesystems
It is standard Debian Stable (apart from grsec kernel). Why should selinux (which is not used/enabled on the system, BTW) be opening /proc/filesystems, and even more why should libc be opening /proc/self/maps for programs like mv(1) and such? And how should that be handled in grsec policy? I could just deny them as I do currently (is there any downside? I could suppress messages if they are unimportant of course). Or do they serve some purpose? I'm not very comfortable with generally enabling access to /proc/$pid/maps to potentially hostile users unless there is a reason to do it.
(grsec there is currently 2.6.32.45-grsec20110828)