grsecurity forums

Hi,

On a server I help administer, we have loads of shell accounts and have been running grsecurity in "full" mode for ages now (although we've yet to use the ACL stuff).

The other day we had our first grsecurity/PaX problem from a user who was running a binary compiled with some Kylix stuff

eeek:/home/amnesia# file hello
hello: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), not stripped

eeek:/home/amnesia# cat hello.dpr
uses
Classes;
begin
writeln('hello world')
end.

I'm not sure how the user is compiling the program yet - lack of communication at the moment.

Anyway, after a search for "kylix" on this forum I found the solution and used "chpax -s hello" to stop PaX from killing the execution. Here is what is logged in /var/log/syslog if segmentation based PAGE_EXEC is not disabled:

Jun 14 00:33:58 eeek kernel: PAX: From X.X.X.X: execution attempt in: /home/amnesia/hello, 0816d000-08171000 00024000
Jun 14 00:33:58 eeek kernel: PAX: From X.X.X.X: terminating task: /home/amnesia/hello(hello):14413, uid/euid: 0/0, PC: 0816f6c3, SP: 5e05d4a8
Jun 14 00:33:58 eeek kernel: PAX: bytes at PC: 83 44 24 04 dc e9 3f ec ed ff 83 44 24 04 dc e9 49 ec ed ff
Jun 14 00:33:58 eeek kernel: grsec: From X.X.X.X: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by (hello:14413) UID(0) EUID(0), parent (bash:24717) UID(0) EUID(0)

Now, this is a problem in Borland Kylix isn't it? Can anyone shed any more information on this before I attempt to contact them with this to see if they can do anything about it in the future as to me it sounds like buggy software on their part?

Thank you for your time.

david wrote:Anyway, after a search for "kylix" on this forum I found the solution and used "chpax -s hello" to stop PaX from killing the execution. Here is what is logged in /var/log/syslog if segmentation based PAGE_EXEC is not disabled:

Jun 14 00:33:58 eeek kernel: PAX: From X.X.X.X: execution attempt in: /home/amnesia/hello, 0816d000-08171000 00024000
Jun 14 00:33:58 eeek kernel: PAX: From X.X.X.X: terminating task: /home/amnesia/hello(hello):14413, uid/euid: 0/0, PC: 0816f6c3, SP: 5e05d4a8
Jun 14 00:33:58 eeek kernel: PAX: bytes at PC: 83 44 24 04 dc e9 3f ec ed ff 83 44 24 04 dc e9 49 ec ed ff
Jun 14 00:33:58 eeek kernel: grsec: From X.X.X.X: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by (hello:14413) UID(0) EUID(0), parent (bash:24717) UID(0) EUID(0)

Now, this is a problem in Borland Kylix isn't it? Can anyone shed any more information on this before I attempt to contact them with this to see if they can do anything about it in the future as to me it sounds like buggy software on their part?

this is indeed the same problem as the one you already found in that other thread and i take it that Borland wasn't contacted or haven't fixed it yet. frankly, given the last update dates on their site, Kylix doesn't appear to be in active development so don't have high hopes...

Thank you for the reply.

To be quite frank, I've not even taken a look at the Borland website so wouldn't know - it seems a dead-end anyway, from what you've said in this thread and in others.

I'll just have to keep chpax'ing this users binaries or they'll need to find an alternative to Kylix.

david wrote:I'll just have to keep chpax'ing this users binaries or they'll need to find an alternative to Kylix.

or you discover the wonders of the ACL system and the PaX related subject flags .

Yes, learning the ACL system is probably an excellent idea considering
Last time I printed the documentation it was the size of a small rain forest, IIRC and I didn't get very far.

Kind regards.