Page 1 of 1

Strange: no mmap binary as a user, but allowed as a root.

PostPosted: Thu Apr 11, 2002 2:37 pm
by olli
Hello.

Seems you 've broken or empty www page describing mailing lists at the grsecurity.net.
At least that seems from the Netscape Communicator 4.78 browser..
I'm experincing problems w/ gpg - it segmentation faults & in log I see that grsecurity
doesn't allow it to run, since it tryes to mmap an executable.I've downloaded chpax & removed all
possible restrictions from the gpg binary. This doesn't help. But running gpg as root does help. When I'm
executing as root I'm finishing OK. Could you comment this? I oftenly use gpg as ordinary user to encrypt my personal data. Since this it appear to be quite ugly situation - I need to reboot to
unprotected kernel each time I need to use gpg or run my MUA that also capable to use gpg as root. :(
Can I do somthing w/ this? I'm running customly configured kernel 2.4.18 with custom security level &
also with international crypto patch (test version for 2.2.18). I've enabled almost everything but network protection within grsecurity options. Could you comment this? :-?

Re: Strange: no mmap binary as a user, but allowed as a root

PostPosted: Fri Apr 12, 2002 4:14 am
by PaX Team
olli wrote:I'm experincing problems w/ gpg - it segmentation faults & in log I see that grsecurity
doesn't allow it to run, since it tryes to mmap an executable.I've downloaded chpax & removed all
possible restrictions from the gpg binary. This doesn't help. But running gpg as root does help.


can you post here the exact logs produced by grsecurity/PaX? also if you could strace gpg (only mmap()/mprotect() should suffice) in both situations i'd appreciate it (if too big, just email us).

hrmm

PostPosted: Fri Apr 12, 2002 4:33 pm
by spender
also check to make sure that you weren't running that program as an untrusted group. TPE won't allow you to run programs that mmap other executables....perhaps for 1.9.5 i'll have it do checks on the file they're trying to mmap, and allow it if it would be allowed normally.

-Brad

Re: Strange: no mmap binary as a user, but allowed as a root

PostPosted: Sat Apr 13, 2002 12:03 pm
by olli
[quote="PaX Team"][quote="olli"]
I'm experincing problems w/ gpg - it segmentation faults & in log I see that grsecurity
doesn't allow it to run, since it tryes to mmap an executable.I've downloaded chpax & removed all
possible restrictions from the gpg binary. This doesn't help. But running gpg as root does help.
[/quote]

can you post here the exact logs produced by grsecurity/PaX? also if you could strace gpg (only mmap()/mprotect() should suffice) in both situations i'd appreciate it (if too big, just email us).[/quote]

Apr 13 19:38:25 sky kernel: grsec: exec of [03:0c:157666] (gpg ) by (bash:1238) UID(500) EUID(500), parent (bash:28644) UID(500) EUID(500)
Apr 13 19:38:25 sky kernel: denied exec of gpg by (gpg:1238) UID(500) EUID(500), parent (bash:28644) UID(500) EUID(500) reason: tried to mmap binary
Apr 13 19:38:25 sky kernel: signal 11 sent to (gpg:1238) UID(500) EUID(500), parent (bash:28644) UID(500) EUID(500)

debuggers are not installed by default at my SOHO Linux system. If problem won't solve soon I'll install & post strace output. BTW - It'd be easier for me if you'll show w/
which options I should trace to get only mmap/mprotect related strings..

Re: hrmm

PostPosted: Sat Apr 13, 2002 12:14 pm
by olli
[quote="spender"]also check to make sure that you weren't running that program as an untrusted group. TPE won't allow you to run programs that mmap other executables....perhaps for 1.9.5 i'll have it do checks on the file they're trying to mmap, and allow it if it would be allowed normally.
[/quote]
#grep olli /etc/passwd
olli:x:500:10:olli:/home/olli:/bin/bash
/etc 0 jobs root@sky
#grep olli /etc/group
wheel:x:10:root,olli
olli:x:501:

In group specification in kernel I've gid=10 as a special group able to view all processes & so on, also I've this group in a ptrace-ability list. The untrusted/restricted group is 510 (same for both choises) & only other users are members of this group, not me:
strict:x:510:rserg,peter,arina,hugevlad,scabs,binarium,virven
No any other option where I could specify GID is enabled in the kernel.

Any comments?

hrmm

PostPosted: Sat Apr 13, 2002 7:47 pm
by spender
disable the "partially restrict all other non-root users" tpe option

-Brad