grsecurity forums


https://forums.grsecurity.net./

on ensim chrooting broken on ensim

https://forums.grsecurity.net./viewtopic.php?f=3&t=649

Page 1 of 1

on ensim chrooting broken on ensim

PostPosted: Mon Jan 05, 2004 10:50 pm
by kamihacker
Jan 5 22:57:51 hostname last message repeated 2 times
Jan 5 22:57:51 hostname kernel: grsec: more alerts, logging disabled for 10 seconds
Jan 5 22:57:51 hostname sendmail[18932]: sendto failed 1 : Operation not permitted
Jan 5 22:59:23 hostname kernel: grsec: From 200.44.33.13: denied connect to abstract AF_UNIX socket outside of chroot by (sendmail:3036) UID(0) EUID(0), parent (sendmail:1999) UID(0) EUID(0)
Jan 5 22:59:23 hostname sendmail: connect 1 : Operation not permitted
Jan 5 22:59:23 hostname kernel: grsec: From 200.44.33.13: denied connect to abstract AF_UNIX socket outside of chroot by (sendmail:14192) UID(0) EUID(0), parent (sendmail:3036) UID(0) EUID(0)
Jan 5 22:59:23 hostname sendmail[14192]: sendto failed 1 : Operation not permitted
Jan 5 22:59:23 hostname kernel: grsec: From 200.44.33.13: denied connect to abstract AF_UNIX socket outside of chroot by (sendmail:14192) UID(0) EUID(0), parent (sendmail:3036) UID(0) EUID(0)
Jan 5 22:59:23 hostname last message repeated 2 times
Jan 5 22:59:23 hostname kernel: grsec: more alerts, logging disabled for 10 seconds


any clue on which chrooting feature should be disabled?

could it be nested chrroting?

PostPosted: Tue Jan 06, 2004 5:07 am
by Sleight of Mind
CONFIG_GRKERNSEC_CHROOT_UNIX

or in the menu:

"Deny access to abstract AF_UNIX sockets out of chroot"

ready with ensim cusotmizations

PostPosted: Fri Jan 09, 2004 1:29 am
by kamihacker
disable the next features and you'll have ensim up and runnning very swift (aside from not being able to let virtual users have a shell account because of some problem with the tty asigning, I haven't found out what's causing it)

disable this on your kernel configuration:

on Address Space Protection
Restrict mprotect()

on Filesystem Protections
Deny mounts
Deny double-chroots
Deny (f)chmod +s
Deny fchdir out of chroot
Deny access to abstract AF_UNIX sockets out of chroot
Capability restrictions within chroot

if any of you find out how to solve the notty problem on virtual users (must be related to chrooting in my opinion) plz reply

PostPosted: Mon Jan 10, 2005 5:03 pm
by DavidG
Can these options be modified without recompiling kernel?

Regards,

David

PostPosted: Mon Jan 10, 2005 5:12 pm
by spender
If you have the sysctl feature of grsecurity enabled, they can be enabled/disabled without rebooting, though if you disable the "deny sysctl writes in chroot" feature for example, and don't set the grsec_lock for the sysctl entries, you're negating a lot of the security provided by grsecurity.

-Brad
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/