Page 1 of 1

Cannot login into gradm

PostPosted: Sat Sep 20, 2003 6:08 am
by Peter
Hallo!

It heards something funny, but gradm says to me all the time that my password is wrong.

What I have done:

I installed crux (http://www.crux.nu).
Downloaded new kernel 2.4.22 and patched new kernel with grsec.
Installed the new kernel.
Installed gradm and got no errors.

I typed in my private password.

In /etc/grsec/ dir are lying the acl and a file pw with my password (binary).

Everytime I try to login into gradm e.g. with gradm -a or gradm -D it ask for a password.
I type in my password and it fails.

There comes a message that it was not allowed by an acl and the password is incorrect.

For trouble shooting I delete 1 time the pw file and create a new one with gradm.
But gradm dont want my password.

I delete sometime the acl to and reboot.
so, I think that grsec must run without any acl, right?
But the some problem.

gradm dont want my password.

Have someone an idea?
May a logfile help you to help me and which logfile?

Viele Gruesse,
Peter.

PostPosted: Sat Sep 20, 2003 10:39 am
by devastor
Can you post the exact error messages?

And do you ever enable the acl with gradm -E ?

Also check out `dmesg'

-devastor

PostPosted: Sun Sep 21, 2003 6:54 am
by Peter
devastor wrote:Can you post the exact error messages?

And do you ever enable the acl with gradm -E ?

Also check out `dmesg'

-devastor


Hi,
thank you that you want to help me.

After a reboot I type
Code: Select all
ps aux and get this:
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  5.6  0.3  1440  948 ?        S    12:36   0:03 init
root         2  0.3  0.0     0    0 ?        SW   12:36   0:00 [keventd]
root         3  0.0  0.0     0    0 ?        SWN  12:36   0:00 [ksoftirqd_CPU0]
root         4  0.0  0.0     0    0 ?        SW   12:36   0:00 [kswapd]
root         5  0.0  0.0     0    0 ?        SW   12:36   0:00 [bdflush]
root         6  0.0  0.0     0    0 ?        SW   12:36   0:00 [kupdated]
root         7  0.0  0.0     0    0 ?        SW   12:36   0:00 [jfsIO]
root         8  0.0  0.0     0    0 ?        SW   12:36   0:00 [jfsCommit]
root         9  0.0  0.0     0    0 ?        SW   12:36   0:00 [jfsSync]
root        11  0.0  0.0     0    0 ?        SW   12:36   0:00 [khubd]
root        16  0.0  0.0     0    0 ?        SW   12:36   0:00 [kreiserfsd]
root      5755  0.0  0.4  1432 1044 ?        S    12:36   0:00 /sbin/devfsd /dev
root      7941  0.1  0.4  1584 1232 ?        S    12:36   0:00 /usr/sbin/syslogd
root     27020  0.1  0.6  2276 1784 ?        S    12:36   0:00 /usr/sbin/klogd -
root      3871  0.0  0.3  1412  980 ?        S    12:36   0:00 /usr/sbin/crond
root     24372  0.0  0.7  2524 1960 vc/1     S    12:36   0:00 -bash
root      2374  0.0  0.3  1396  868 vc/2     S    12:36   0:00 /sbin/agetty 3840
root     31309  0.0  0.3  1384  868 vc/3     S    12:36   0:00 /sbin/agetty 3840
root      9960  0.0  0.3  1384  868 vc/4     S    12:36   0:00 /sbin/agetty 3840
root     11385  0.0  0.3  1424  868 vc/5     S    12:36   0:00 /sbin/agetty 3840
root     24639  0.0  0.3  1404  868 vc/6     S    12:36   0:00 /sbin/agetty 3840
root      6384  0.0  0.4  2648 1244 vc/1     R    12:37   0:00 ps aux


After that I type in:

Code: Select all
gradm -a

And I must type in my password.
After that I get an error that an acl forbidden me to login.
:(

My /etc/grsec/acl looks like this:
Code: Select all
/ lo {
       / h
       -CAP_ALL
       RES_FSIZE     0 0
       RES_DATA      0 0
       RES_RSS       0 0
       RES_NOFILE    0 0
       RES_MEMLOCK   0 0
       RES_STACK     0 0
       RES_AS        0 0
       RES_NPROC     0 0
       RES_LOCKS     0 0
       connect {
              disabled
       }
       bind {
              disabled
       }
}


That is the same like on:http://www.grsecurity.net/gracldoc.htm#Using_Gradm_and_the_Learning_Mode
exept that I type a / for testing.

My dmesg looks like this:
Code: Select all
Linux version 2.4.22-grsec (root@nbpeter) (gcc version 3.2.3 (CRUX)) #1 SMP Sat Sep 20 07:30:12 CEST 2003
BIOS-provided physical RAM map:
 BIOS-e820: 0000000000000000 - 000000000009fc00 (usable)
 BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved)
 BIOS-e820: 0000000000100000 - 000000000ffe2800 (usable)
 BIOS-e820: 000000000ffe2800 - 0000000010000000 (reserved)
 BIOS-e820: 00000000feda0000 - 00000000fee00000 (reserved)
 BIOS-e820: 00000000ffb80000 - 0000000100000000 (reserved)
255MB LOWMEM available.
On node 0 totalpages: 65506
zone(0): 4096 pages.
zone(1): 61410 pages.
zone(2): 0 pages.
Dell Inspiron with broken BIOS detected. Refusing to enable the local APIC.
Kernel command line: BOOT_IMAGE=CRUX_NEU ro root=309 quiet
Initializing CPU#0
Detected 1695.024 MHz processor.
Console: colour VGA+ 80x25
Calibrating delay loop... 3381.65 BogoMIPS
Memory: 254920k/262024k available (2518k kernel code, 6716k reserved, 347k data, 144k init, 0k highmem)
Dentry cache hash table entries: 32768 (order: 6, 262144 bytes)
Inode cache hash table entries: 16384 (order: 5, 131072 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 16384 (order: 4, 65536 bytes)
Page-cache hash table entries: 65536 (order: 6, 262144 bytes)
CPU: Trace cache: 12K uops, L1 D cache: 8K
CPU: L2 cache: 512K
CPU: Hyper-Threading is disabled
Intel machine check architecture supported.
Intel machine check reporting enabled on CPU#0.
CPU:     After generic, caps: 3febf9ff 00000000 00000000 00000000
CPU:             Common caps: 3febf9ff 00000000 00000000 00000000
Enabling fast FPU save and restore... done.
Enabling unmasked SIMD FPU exception support... done.
Checking 'hlt' instruction... OK.
POSIX conformance testing by UNIFIX
CPU: Trace cache: 12K uops, L1 D cache: 8K
CPU: L2 cache: 512K
CPU: Hyper-Threading is disabled
Intel machine check reporting enabled on CPU#0.
CPU:     After generic, caps: 3febf9ff 00000000 00000000 00000000
CPU:             Common caps: 3febf9ff 00000000 00000000 00000000
CPU0: Intel(R) Pentium(R) 4 Mobile CPU 1.70GHz stepping 04
per-CPU timeslice cutoff: 1462.61 usecs.
SMP motherboard not detected.
Local APIC not detected. Using dummy APIC emulation.
Waiting on wait_init_idle (map = 0x0)
All processors have done init_idle
PCI: PCI BIOS revision 2.10 entry at 0xfbfee, last bus=2
PCI: Using configuration type 1
PCI: Probing PCI hardware
PCI: Probing PCI hardware (bus 00)
PCI: Ignoring BAR0-3 of IDE controller 00:1f.1
Transparent bridge - Intel Corp. 82801BAM/CAM PCI Bridge
PCI: Discovered primary peer bus 08 [IRQ]
PCI: Using IRQ router PIIX [8086/248c] at 00:1f.0
PCI: Found IRQ 11 for device 00:1f.1
PCI: Sharing IRQ 11 with 00:1d.2
PCI: Sharing IRQ 11 with 02:00.0
isapnp: Scanning for PnP cards...
isapnp: No Plug & Play device found
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
Journalled Block Device driver loaded
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
NTFS driver v1.1.22 [Flags: R/O]
udf: registering filesystem
pty: 256 Unix98 ptys configured
Dell laptop SMM driver v1.13 14/05/2002 Massimo Dal Zotto (dz@debian.org)
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI ISAPNP enabled
ttyS00 at 0x03f8 (irq = 4) is a 16550A
PCI: Found IRQ 11 for device 00:1f.6
PCI: Sharing IRQ 11 with 00:1f.5
Floppy drive(s): fd0 is 1.44M
FDC 0 is a post-1991 82077
Linux agpgart interface v0.99 (c) Jeff Hartmann
agpgart: Maximum main memory to use for agp memory: 203M
agpgart: Detected Intel i845 chipset
agpgart: AGP aperture is 64M @ 0xe8000000
[drm] Initialized tdfx 1.0.0 20010216 on minor 0
[drm] AGP 0.99 on Intel i845 @ 0xe8000000 64MB
[drm] Initialized radeon 1.1.1 20010405 on minor 1
[drm] AGP 0.99 on Intel i845 @ 0xe8000000 64MB
[drm] Initialized i810 1.2.0 20010920 on minor 2
Uniform Multi-Platform E-IDE driver Revision: 7.00beta4-2.4
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
ICH3M: IDE controller at PCI slot 00:1f.1
PCI: Enabling device 00:1f.1 (0005 -> 0007)
PCI: Found IRQ 11 for device 00:1f.1
PCI: Sharing IRQ 11 with 00:1d.2
PCI: Sharing IRQ 11 with 02:00.0
ICH3M: chipset revision 2
ICH3M: not 100% native mode: will probe irqs later
    ide0: BM-DMA at 0xbfa0-0xbfa7, BIOS settings: hda:DMA, hdb:DMA
hda: HITACHI_DK23EA-60, ATA DISK drive
hdb: HL-DT-STDVD-ROM GDR8081N, ATAPI CD/DVD-ROM drive
blk: queue c019df20, I/O limit 4095Mb (mask 0xffffffff)
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
hda: attached ide-disk driver.
hda: host protected area => 1
hda: 117210240 sectors (60012 MB) w/2048KiB Cache, CHS=7296/255/63, UDMA(100)
hdb: attached ide-cdrom driver.
hdb: ATAPI 24X DVD-ROM drive, 512kB Cache, DMA
Uniform CD-ROM driver Revision: 3.12
Partition check:
 /dev/ide/host0/bus0/target0/lun0: p1 p2 p3 p4 < p5 p6 p7 p8 p9 p10 p11 p12 p13 p14 p15 >
SCSI subsystem driver Revision: 1.00
kmod: failed to exec /sbin/modprobe -s -k scsi_hostadapter, errno = 2
es1371: version v0.32 time 07:32:07 Sep 20 2003
Linux Kernel Card Services 3.1.22
  options:  [pci] [cardbus] [pm]
PCI: Found IRQ 11 for device 02:01.0

PCI: Sharing IRQ 11 with 02:01.1
PCI: Sharing IRQ 11 with 02:01.2
PCI: Found IRQ 11 for device 02:01.1
PCI: Sharing IRQ 11 with 02:01.0
PCI: Sharing IRQ 11 with 02:01.2
usb.c: registered new driver hub
Yenta IRQ list 06a8, PCI irq11
Socket status: 30000006
Yenta IRQ list 06a8, PCI irq11
Socket status: 30000006
host/uhci.c: USB Universal Host Controller Interface driver v1.1
PCI: Found IRQ 11 for device 00:1d.0
PCI: Sharing IRQ 11 with 01:00.0
PCI: Setting latency timer of device 00:1d.0 to 64
host/uhci.c: USB UHCI at I/O 0xbf80, IRQ 11
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
PCI: Found IRQ 11 for device 00:1d.2
PCI: Sharing IRQ 11 with 00:1f.1
PCI: Sharing IRQ 11 with 02:00.0
PCI: Setting latency timer of device 00:1d.2 to 64
host/uhci.c: USB UHCI at I/O 0xbf20, IRQ 11
usb.c: new USB bus registered, assigned bus number 2
hub.c: USB hub found
hub.c: 2 ports detected
Initializing USB Mass Storage driver...
usb.c: registered new driver usb-storage
USB Mass Storage support registered.
Initializing Cryptographic API
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 2048 buckets, 16Kbytes
TCP: Hash tables configured (established 16384 bind 16384)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
FAT: bogus logical sector size 0
FAT: bogus logical sector size 0
kmod: failed to exec /sbin/modprobe -s -k nls_iso8859-1, errno = 2
You didn't specify the type of your ufs filesystem

mount -t ufs -o ufstype=sun|sunx86|44bsd|old|hp|nextstep|netxstep-cd|openstep ...

>>>WARNING<<< Wrong ufstype may corrupt your filesystem, default is ufstype=old
ufs_read_super: bad magic number
UDF-fs DEBUG lowlevel.c:65:udf_get_last_session: CDROMMULTISESSION not supported: rc=-22
UDF-fs DEBUG super.c:1421:udf_read_super: Multi-session=0
UDF-fs DEBUG super.c:410:udf_vrs: Starting at sector 16 (2048 byte sectors)
UDF-fs DEBUG super.c:1157:udf_check_valid: Failed to read byte 32768. Assuming open disc. Skipping validity check
UDF-fs DEBUG misc.c:285:udf_read_tagged: location mismatch block 256, tag 93183 != 256
UDF-fs DEBUG super.c:1211:udf_load_partition: No Anchor block found
UDF-fs: No partition found (1)
reiserfs: found format "3.6" with standard journal
hub.c: new USB device 00:1d.2-1, assigned address 2
usb.c: USB device 2 (vend/prod 0x46d/0xc024) is not claimed by any active driver.
reiserfs: checking transaction log (device ide0(3,9)) ...
for (ide0(3,9))
ide0(3,9):Using r5 hash to sort names
VFS: Mounted root (reiserfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 144k freed
Adding Swap: 522072k swap-space (priority -1)
grsec: mount /dev/hda9 to / by (mount:6042) UID(0) EUID(0), parent (rc:13502) UID(0) EUID(0)
grsec: mount /dev/hda9 to / by (mount:19737) UID(0) EUID(0), parent (rc:13502) UID(0) EUID(0)
grsec: mount proc to /proc by (mount:4001) UID(0) EUID(0), parent (rc:13502) UID(0) EUID(0)
grsec: mount /dev/hda14 to /home by (mount:4001) UID(0) EUID(0), parent (rc:13502) UID(0) EUID(0)
grsec: time set by (hwclock:9297) UID(0) EUID(0), parent (rc:13502) UID(0) EUID(0)
grsec: ignoring shutdown for disabled acl for (gradm:15890) UID(0) EUID(0), parent (bash:24372) UID(0) EUID(0)
grsec: Ignoring change to admin mode for disabled acl for (gradm:22274) UID(0) EUID(0), parent (bash:24372) UID(0) EUID(0)
grsec: ignoring shutdown for disabled acl for (gradm:4146) UID(0) EUID(0), parent (bash:24372) UID(0) EUID(0)


I am really shure that something with my acl is not correct, but
my english is not really perfect that I understand everything right in the manuall.
But I am wondering why the acl from the manuall is not correct working.

I think you see perhaps very fast a newbie-fault.
Perhaps I need at the start a guiding hand.

Anyway I think that grsec is a very good way to harden my linuxsystem.

PostPosted: Sun Sep 21, 2003 12:18 pm
by goodbyte
Code: Select all
grsec: ignoring shutdown for disabled acl for (gradm:15890) UID(0) EUID(0), parent (bash:24372) UID(0) EUID(0)


as devastor wrote, you need to enable grsecurity with gradm -E
I.e. add gradm -E to your startup scripts or if you just want to test it, execute gradm -E before you try gradm -a

PostPosted: Sun Sep 21, 2003 12:49 pm
by Peter
goodbyte wrote:execute gradm -E before you try gradm -a

Ah, I see.
I can now login now. :)

Maybe I understand it in the manual false.
:)

So, one more question:
I want to get grsec into learning mode.

So is it right when I make this.

1. Boot the system.
2. Login as Root
3. type: gradm -E (to enable grsec)
4. type: gradm -a (to enter adminmode)
6. type: gradm -D (to disable grsec, it is like in the manuall)
5. type: gradm -L -O /etc/grsec/acl (to enter learning mode)
6. type: gradm -E (to enable the learning mode)

And when I wait now about 24h I have new lines in /etc/grsec/acl, right?

I am a newbie to grsec and my english is not the best, that I unserstand everything right in the manual.
So it was nice, if I have in the beginning a guiding hand.
Thank you, that I may take your time.

Viele Gruesse,
Peter.

PostPosted: Mon Sep 22, 2003 5:16 am
by Peter
5. type: gradm -L -O /etc/grsec/acl (to enter learning mode)

It works now.
Okay, I must use /etc/grsec/another_new_acl

I think the manual is wrong at this place in the learning mode.