Hi!
I'm experiencing weird problems with ntpdate and iptables (probably others too, haven't yet tried out).
I've set -CAP_NET_ADMIN in the startup script and given iptables +CAP_NET_ADMIN in proc.acl. When ever I try to run iptables, I get this these errors:
kernel: attempt to mmap 97292 2065 executableby (iptables:874) UID(0) EUID(0), parent (bash:7130) UID(0) EUID(0)
kernel: attempt to mmap 32498 2065 executableby (iptables:874) UID(0) EUID(0), parent (bash:7130) UID(0) EUID(0)
kernel: signal 11 sent to (iptables:874) UID(0) EUID(0), parent (bash:7130) UID(0) EUID(0)
Segmentation fault
Actually it doesn't make any difference what I put in proc.acl for iptables. I've tried just blank /sbin/iptables { } and with +CAP_NET_ADMIN, always the same errors.
I'm not running PaX, but the Openwall protection is on. I also tried to compile the kernel without it, didn't help.
The same things happens with ntpdate, when I set -CAP_SYS_TIME. The problem occurs on two boxes!
Both programs work fine when I set their capabilities to +.
Oh, and I'm running grsec-1.9.4 and kernel 2.4.18.
Attempt to mmap problem
3 posts
• Page 1 of 1
Attempt to mmap problem
by sig » Fri Mar 29, 2002 12:40 pm
- sig
- Posts: 5
- Joined: Fri Mar 29, 2002 12:28 pm
Found out one way to solve it
by sig » Fri Mar 29, 2002 1:00 pm
Hmm, got it working by adding this to proc.acl for iptables:
/sbin/iptables {
/ rwx
+CAP_NET_ADMIN
}
The same thing worked for ntpdate.
/sbin/iptables {
/ rwx
+CAP_NET_ADMIN
}
The same thing worked for ntpdate.
- sig
- Posts: 5
- Joined: Fri Mar 29, 2002 12:28 pm
yes..
by spender » Sat Mar 30, 2002 1:50 am
you always need to give execute access to the program you're executing in your process acl. If you don't put anything inside the {} of your process acl, your program cannot access anything, and I'm almost certain you don't want that. Take a look at some of the examples in the acl development section of the forum.
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
3 posts
• Page 1 of 1