grsecurity forums


https://forums.grsecurity.net./

java and chroot problem

https://forums.grsecurity.net./viewtopic.php?f=3&t=371

Page 1 of 1

java and chroot problem

PostPosted: Mon Apr 07, 2003 9:29 am
by lroma
Hi all!

After installing Redhat latest glibc update(2.3.2-4.80) for RedHat linux 8.0 I'm unable to run my tomcat server in a chrooted jail. The problem is that java do not work anymore chrooted (signal 11...) :(
I've tried with grsec 1.9.8 and 1.9.9f (with the approrpiate versions of chpax.c)

Help me!
Thanks
lele

PostPosted: Mon Apr 07, 2003 11:44 am
by spender
Do you see any chroot-related logs from grsecurity? Can you paste the configuration you have for the chroot options?

-Brad

PostPosted: Mon Apr 07, 2003 12:32 pm
by lroma
I've "chpaxed" /chroot/tomcat/java/bin/java with options -msrp and
when I try as root (grsec-1.9.9f and chpax of 2003-04-01):
chroot /chroot/tomcat /java/bin/java
I get this on logs

kernel: grsec: From 172.16.100.14: signal 11 sent to (java:11483) UID(0) EUID(0), parent (bash:11408) UID(0) EUID(0)
kernel: grsec: From 172.16.100.14: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by (java:11483) UID(0) EUID(0), parent (bash:11408) UID(0) EUID(0)

and "Segmentation fault" on my ssh console.

I'm using sysctl and now ALL things in /proc/.../grsecurity related to chroot are set to zero.

Thanks,
lele

strace

PostPosted: Tue Apr 08, 2003 6:04 am
by lroma
If it may help, this is the output of:
strace -v chroot /chroot/tomcat /java/bin/java
....
_sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xbfffe4cc, 35, (nil), 0}) = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

lele

PostPosted: Tue Apr 08, 2003 9:02 am
by spender
Can you try a clean 2.4.20 kernel? If you disabled all the chroot options via sysctl, there won't be any of grsec's chroot restrictions running. I'm not 100% convinced this is the result of grsecurity, additionally due to there being no logs from grsec. java runs fine when it's not chrooted?

-Brad

PostPosted: Tue Apr 08, 2003 9:33 am
by lroma
Yes!! you convinced me to try another way...
I copied ALL /lib to /chroot/tomcat/lib and now it works!!
I would like to know what is changed between the two version that now are required other libs... (I will inquire,any suggestion?)
Sorry for the waste of your time :(

Thanks a lot!
lele

PostPosted: Tue Apr 08, 2003 9:37 am
by spender
It's always good when setting up a chroot for an app to run ldd on the app to make sure you have all the required libraries. Otherwise you'll run into the problem you had.

-Brad
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/