grsecurity forums

Hi everybody,

i recently installed a server at a customer site with squid running in grsecurity with kernel 2.4.22

Everything works fine and stable but once in a while i get a deny from gr in dmesg regarding the squid cache directory:

grsec: From 1.2.3.4: denied unlink of /usr/local/squid/2.5.STABLE4/var/cache/00/3E/00003EA3 by (unlinkd:290) UID(1001) EUID(1001), parent (squid:284) UID(1001) EUID(1001)


Here is my squid acl:

/usr/local/squid/2.5.STABLE4/sbin/squid dAX {
/usr/local/squid/2.5.STABLE4/sbin/squid x
/usr/local/squid/2.5.STABLE4/libexec x
/usr/local/squid/2.5.STABLE4/etc r
/usr/local/squid/2.5.STABLE4/bin x
/usr/local/squid/2.5.STABLE4/sbin x
/usr/local/squid/2.5.STABLE4/share r
/usr/local/squid/2.5.STABLE4/var rw
/dev/log rw
/dev/null rw
/etc/passwd r
/etc/ld.so.cache r
/etc/nsswitch.conf r
/etc/resolv.conf r
/etc/hosts r
/usr/share/zoneinfo r
/etc/group r
/etc/host.conf r
/dev/tty rw
/lib rx
/etc/services r
/usr/lib/libdb3.so.3.0.2 rx
/usr/bin/unlink rxi
/ h
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
RES_CRASH 1 60000

connect {
0.0.0.0/0:80 stream tcp
0.0.0.0/0:443 stream tcp
x.x.x.x:53 dgram udp
}

bind {
0.0.0.0:0 dgram ip
0.0.0.0:0 dgram ip udp
127.0.0.1:0 stream ip tcp
0.0.0.0:3128 stream ip tcp
0.0.0.0:3130 dgram ip udp
0.0.0.0:0 stream ip tcp
}

}

As you can see the

usr/local/squid/2.5.STABLE4/var rw

should permit rw acces to the cache directory. The acl was created in learning mode and after that i added and summarised some entries. Obviously that may be room for improvement (let me know) but the acl works so far

I think i have an understanding problem regarding inheritance: in the error message i can see that not squid but unlinkd wants to access the file so according the documentation i added

/usr/bin/unlink rxi

to give unlink the same permissions as squid but still the denies pop up

regards,

weeny

are you sure /usr/bin/unlink is the correct filename?

-Brad

in fact, i'm pretty sure that's the wrong filename. iirc, squid has an "unlinkd" binary, so you need to use that filename.

-Brad

Ah of course...

i did a which unlinkd and nothing was found in the path so i
did a which unlink and got

/usr/bin/unlink

and i thought that this is the programm squid is using but in fact (after i read youre reply) i searched with

find /usr/local -name unlinkd

and it showed me that there is a file called

/usr/local/squid/.../libexec/unlinkd


so I put it in my acl now with

usr/local/squid/.../sbin/squid {
[...]
/usr/local/squid/.../var rw
/usr/local/squid/.../libexec/unlinkd rxi
[...]
}

Is the rxi correct? the idea is that unlinkd inherits the rights from squid...

I cleared dmesg and will wait a couple of hours if the message pop's up again. Hope this works but i am pretty convinced

Thank you once again for youre help

regards

weeny

As far as i can see the inheritance shall work well

But i may be wrong because i am a rookie

Greetings

snoopy

ok i still have this deny messages even after the changes...(i think i cleared the dmesg with dmesg -c in an gr free shell but i am not shure ... you cannot tell because of the missing timestamps of grsecurity in dmesg. maybe to make shure i also do a echo > /var/log/messages)

strange...

so what i tried now is to put the unlinkd binary in an extra acl and switched on learning mode like this

/usr/local/..../squid/sbin/squid dXA {
[...old stuff...]
/usr/local/..../squid/var rw
/usr/local/..../squid/libexec/unlinkd rxi
[...old stuff...]

}

# NEW ACL ->
/usr/local/..../squid/libexec/unlinkd lo {
/ h
-CAP_ALL
}


any more suggestions?

regards weeny

Hi,

to close this topic -> the last version worked for me. After i put unklinkd in his own acl gr stop sending the deny messages for the cache directory

I wonder why it did not worked when unlinkd was a part of the squid rule with the rxi option

regards

weeny

P.S.
on the same server i have installed sendmail with mimedefang and spamassassin working quite well for one week now...if anyone is interessted in the ruleset...give me feedback