out of curiosity, move the /dev/null line above the /etc/* h
-Brad
something odd here... messed up... gimped..
26 posts
• Page 2 of 2 • 1, 2
by TGKx » Wed Mar 19, 2003 8:30 pm
No change, just reports the error on the different line # (since I moved the /dev/null above /etc/* h). The feb22 gradm (approximately), will load the acl but that was the original version that was having all the probs at the beginning of this post.
- TGKx
- Posts: 50
- Joined: Wed Feb 19, 2003 4:39 am
by TGKx » Thu Mar 27, 2003 2:10 am
I have installed both and am still experiencing the duplicate entry error:
root@soup:~# gradm -E
Duplicate ACL entry found for "/etc/issue" on line 640 of /etc/grsec/acl.
"/etc/issue" references the same object as the following object(s):
/etc/issue
specified on an earlier line.The ACL system will not load until this error is fixed.
***SNIP***
/bin/mount o {
/proc/filesystems r
/lib/libc-2.2.5.so rx
/lib/ld-2.2.5.so x
/etc rw
/etc/mtab rw
/etc/ld.so.cache r
/dev/null rw
/etc/* h <- line 640
/dev/hd* r
/dev/fd0 r
/bin/mount x
/
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_SYS_RAWIO
+CAP_SYS_ADMIN
connect {
disabled
}
bind {
disabled
}
}
***SNIP***
/etc/issue may be fighting with /etc/issue.net since there is a symbolic link there. I'm not sure if you fixed that in cvs or not since I cant manage to get a checkout =(
-TGK
root@soup:~# gradm -E
Duplicate ACL entry found for "/etc/issue" on line 640 of /etc/grsec/acl.
"/etc/issue" references the same object as the following object(s):
/etc/issue
specified on an earlier line.The ACL system will not load until this error is fixed.
***SNIP***
/bin/mount o {
/proc/filesystems r
/lib/libc-2.2.5.so rx
/lib/ld-2.2.5.so x
/etc rw
/etc/mtab rw
/etc/ld.so.cache r
/dev/null rw
/etc/* h <- line 640
/dev/hd* r
/dev/fd0 r
/bin/mount x
/
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_SYS_RAWIO
+CAP_SYS_ADMIN
connect {
disabled
}
bind {
disabled
}
}
***SNIP***
/etc/issue may be fighting with /etc/issue.net since there is a symbolic link there. I'm not sure if you fixed that in cvs or not since I cant manage to get a checkout =(
-TGK
- TGKx
- Posts: 50
- Joined: Wed Feb 19, 2003 4:39 am
by TGKx » Fri Mar 28, 2003 2:26 am
Okay you got that problem fixed, here's another 
Mar 28 00:18:58 src@soup grsec: From 64.218.236.121: denied open of /etc/.pwd.lock for writing by (passwd:27280) UID(0) EUID(0), parent (bash:22283) UID(1006) EUID(1006)
New password:
Re-enter new password:
Cannot lock the password file; try again later.
***SNIP***
/usr/bin/passwd o {
/var/run/utmp rw
/usr/share/zoneinfo/US/Central r
/proc
/lib/libnss_compat-2.2.5.so rx
/lib/libnsl-2.2.5.so rx
/lib/libcrypt-2.2.5.so rx
/lib/libc-2.2.5.so rx
/lib/ld-2.2.5.so x
/etc rw
/etc/shadow rw
/etc/passwd rw
/etc/nsswitch.conf r
/etc/login.defs r
/etc/ld.so.cache r
/etc/* h
/dev/tty rw
/dev/log rw
/usr/bin/passwd x
/ h
-CAP_ALL
+CAP_CHOWN
+CAP_FSETID
+CAP_SETUID
+CAP_SYS_RESOURCE
connect {
disabled
}
bind {
disabled
}
}
******
.pwd.lock doesnt exist when the ACL is loaded into grsec so it appears that grsec might not be handling files that begin with a . properly
-TGK
Mar 28 00:18:58 src@soup grsec: From 64.218.236.121: denied open of /etc/.pwd.lock for writing by (passwd:27280) UID(0) EUID(0), parent (bash:22283) UID(1006) EUID(1006)
New password:
Re-enter new password:
Cannot lock the password file; try again later.
***SNIP***
/usr/bin/passwd o {
/var/run/utmp rw
/usr/share/zoneinfo/US/Central r
/proc
/lib/libnss_compat-2.2.5.so rx
/lib/libnsl-2.2.5.so rx
/lib/libcrypt-2.2.5.so rx
/lib/libc-2.2.5.so rx
/lib/ld-2.2.5.so x
/etc rw
/etc/shadow rw
/etc/passwd rw
/etc/nsswitch.conf r
/etc/login.defs r
/etc/ld.so.cache r
/etc/* h
/dev/tty rw
/dev/log rw
/usr/bin/passwd x
/ h
-CAP_ALL
+CAP_CHOWN
+CAP_FSETID
+CAP_SETUID
+CAP_SYS_RESOURCE
connect {
disabled
}
bind {
disabled
}
}
******
.pwd.lock doesnt exist when the ACL is loaded into grsec so it appears that grsec might not be handling files that begin with a . properly
-TGK
- TGKx
- Posts: 50
- Joined: Wed Feb 19, 2003 4:39 am
by spender » Fri Mar 28, 2003 8:20 am
Check your /etc very carefully. Do an ls -al. I think you'll find .pwd.lock actually is there. It's there on my system. The globbing does handle filenames starting with a "." , if it didn't, it wouldn't have made that file hidden, instead of had it fall through to the /etc rw rule.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
by TGKx » Fri Mar 28, 2003 6:31 pm
Ah yes your right, for some reason I was thinking it was a dynamic temp file in there kind of like mtab~<proc#>. I probably cleaned it out at one point and then saw it trying to create it and jumped to conclusions.
Everything seems happy now, thanks for the help
-TGK
Everything seems happy now, thanks for the help
-TGK
- TGKx
- Posts: 50
- Joined: Wed Feb 19, 2003 4:39 am
by spender » Fri Mar 28, 2003 7:56 pm
Some more good news. I finished a better include directive for gradm 2.0. I am going to backport it to the current version of gradm tonight, so the include directive is much more flexible. In the current version of gradm you can only entire subject ACLs. In this new version, you can include anything.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Learning Problem
by TGKx » Sat Mar 29, 2003 7:33 pm
Did you happen to reintroduce this with a previous cvs merge? I've never had issues with it before with syslog-ng.
root@soup:/etc/grsec# gradm -L /var/log/grsec.log -O ./bleh
Unable to open /etc/syslog.conf for reading.
Error: No such file or directory
root@soup:/etc/grsec# ls -la /var/log/grsec.log
-rw------- 1 root root 327595 Mar 29 17:25 /var/log/grsec.log
root@soup:/etc/grsec#
root@soup:/etc/grsec# gradm -v
gradm v1.9.9f
-TGK
root@soup:/etc/grsec# gradm -L /var/log/grsec.log -O ./bleh
Unable to open /etc/syslog.conf for reading.
Error: No such file or directory
root@soup:/etc/grsec# ls -la /var/log/grsec.log
-rw------- 1 root root 327595 Mar 29 17:25 /var/log/grsec.log
root@soup:/etc/grsec#
root@soup:/etc/grsec# gradm -v
gradm v1.9.9f
-TGK
- TGKx
- Posts: 50
- Joined: Wed Feb 19, 2003 4:39 am
26 posts
• Page 2 of 2 • 1, 2