grsecurity forums


https://forums.grsecurity.net./

grsecurity seems to ignore subject modes overriding PaX feat

https://forums.grsecurity.net./viewtopic.php?f=3&t=504

Page 1 of 1

grsecurity seems to ignore subject modes overriding PaX feat

PostPosted: Mon Jul 28, 2003 9:56 am
by osl74
Hello,

we play around here building ACLs for ColdFusion. I got log entries regarding "denied load of writable library /dev/zero ..." and so i used 'O'- subject mode for 'cfrdsservice', but the message still remains !
After that, i enabled more PaX- features in kernel, and from now Java- processes were killed by PaX- violations. Giving the subjects all PSMRGX- modes doesn't change the immediate killing at coldfusion- start. So i disabled that corresponding PaX- features for memory protection in kernel, and now there java- processes start easily.
So it seems to me, that grsecurity doesnt honor these subject modes. Is there anything wrong ?
I use: linux 2.4.21-grsec and gradm v1.9.10

Best regards, Sandro Littke.

Re: grsecurity seems to ignore subject modes overriding PaX

PostPosted: Mon Jul 28, 2003 10:13 am
by PaX Team
osl74 wrote:After that, i enabled more PaX- features in kernel, and from now Java- processes were killed by PaX- violations. Giving the subjects all PSMRGX- modes doesn't change the immediate killing at coldfusion- start. So i disabled that corresponding PaX- features for memory protection in kernel, and now there java- processes start easily.
So it seems to me, that grsecurity doesnt honor these subject modes. Is there anything wrong ?
take a look at here:http://www.grsecurity.net/gracldoc.htm#PaX_flags_and_caveats and try to not use the GX flags. it seems that grsecurity activates RANDEXEC even if none of PAGEEXEC and SEGMEXEC is active (it's a bug/feature, and is at least inconsistent with how the ELF header flags are interpreted, i guess it will be fixed in the next release).

PostPosted: Mon Jul 28, 2003 10:42 am
by osl74
Thanks for the advise, now java starts. I didnt use the GX- flags actually, just a mistype.
But the problem with "... denied load of writable library /dev/zero by (cfserver:30827) UID(30) EUID(30), parent (cfserver:19684) UID(30) EUID(30) ..." still remains ...

Best regards, Sandro Littke.

PostPosted: Mon Jul 28, 2003 11:02 am
by PaX Team
osl74 wrote:But the problem with "... denied load of writable library /dev/zero by (cfserver:30827) UID(30) EUID(30), parent (cfserver:19684) UID(30) EUID(30) ..." still remains ...
you should add the O flag to the cfserver subject instead of/in addition to cfrdsservice.
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/