grsecurity forums

Hi!

I have next problem. When I try to use "gradm-a admin" command I get such a grsec warning:

kernel: grsec: From 153.19.37.187: (root:U:/sbin/gradm) terminal being sniffed by IP:153.19.37.187 /usr/sbin/httpd[httpd:13371], parent /sbin/init[init:1] against /sbin/gradm[gradm:30123] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:21671] uid/euid:0/0 gid/egid:0/0.

It is strane because 153.19.37.187 is IP of my computer in my house which I use to connect to my serwer. I also have open www page which is on my server but why I can't use "gradm -a admin"? What is connection between grsec and the fact that I use www server? And what I have to change in my configuration?

Can you send me an lsof of the system when the problem occurs? Also send me pstree and ps aux output.

-Brad

Of course. I sent it with my new questons about this problem.

Mar 6 17:18:55 localhost kernel: grsec: From 10.0.0.2: (default:D:/sbin/gradm) terminal being sniffed by IP:10.0.0.2 /usr/sbin/crond[crond:29], parent /sbin/init[init:1] against /sbin/gradm[gradm:12994] uid/euid:0/0 gid/egid:0/0, parent /bin/bash_root[bash_root:20796] uid/euid:0/0 gid/egid:0/0

should I send the same info as mentioned above?

Have you updated to 2.1.2?

-Brad

yes I did
yesterday

ps. it seems to related to background process which has been started from the given pts

Code: Select all

[18:01:27] root@dsl:~# gradm -D
Password:
Stopping crond:                                            [  OK  ]
Starting crond:                                            [  OK  ]
[18:09:06] root@dsl:~# gradm -D
The terminal you are using is unsafe for this operation.  Use another terminal.


and one more

Code: Select all

[18:11:04] root@dsl:~# gradm -D
Password:
[18:11:06] root@dsl:~# killall crond
[18:11:09] root@dsl:~# gradm -D
Password:
[18:11:12] root@dsl:~# crond
[18:11:14] root@dsl:~# gradm -D
The terminal you are using is unsafe for this operation.  Use another terminal.


Yes, which means that there's a bug in your distribution, as that process shouldn't have your terminal opened. In this case, just log into another terminal and run gradm on there.

-Brad

should I change cron? or something deeper? libc i.e.?

The problem is most likely in the startup script for cron. If you report the problem to your distribution, they will know how to fix it. Explain that the cron process has the terminal open of the user that started cron.

Out of curiosity, can you show me the output of ls -al /proc/`pidof cron`/fd

-Brad

Code: Select all

[00:47:35] root@dsl:~# ls -al /proc/`pidof crond`/fd
total 0
dr-x------    2 root     procgr          0 Mar  7 00:47 .
dr-xr-x---    3 root     procgr          0 Mar  6 23:09 ..
lrwx------    1 root     procgr         64 Mar  7 00:47 0 -> /dev/pts/17 (deleted)
l-wx------    1 root     procgr         64 Mar  7 00:47 1 -> pipe:[807531]
l-wx------    1 root     procgr         64 Mar  7 00:47 2 -> pipe:[807532]
lrwx------    1 root     procgr         64 Mar  7 00:47 3 -> /var/run/crond.pid
lrwx------    1 root     procgr         64 Mar  7 00:47 6 -> socket:[837725]

[00:47:36] root@dsl:~# lsof -n | grep crond
crond     13534     root  cwd    DIR        3,1      4096     677235 /var/spool
crond     13534     root  rtd    DIR        3,1      4096          2 /
crond     13534     root  txt    REG        3,1     22112     322954 /usr/sbin/crond
crond     13534     root  mem    REG        3,1    464409     482931 /lib/ld-2.2.4.so
crond     13534     root  mem    REG        3,1   5737154     482940 /lib/libc-2.2.4.so
crond     13534     root  mem    REG        3,1    256691     482965 /lib/libnss_files-2.2.4.so
crond     13534     root  mem    REG        3,1    350464     482973 /lib/libnss_nisplus-2.2.4.so
crond     13534     root  mem    REG        3,1    448441     482949 /lib/libnsl-2.2.4.so
crond     13534     root    0u   CHR     136,17                   19 /dev/pts/17 (deleted)
crond     13534     root    1w  FIFO        0,5               807531 pipe
crond     13534     root    2w  FIFO        0,5               807532 pipe
crond     13534     root    3u   REG        3,1         6     676074 /var/run/crond.pid
crond     13534     root    6u  unix 0xc712a960               837725 socket


..and yes, I know I have an old libc:P