Acl-s and chroot

Submit your RBAC policies or suggest policy improvements

Acl-s and chroot

Postby marek » Tue Sep 24, 2002 2:09 pm

Hi!
I've got some problems trying to use chroot witch acl-system
Even learning mode can't help :(
(I've got lines such as:

/usr/sbin/chroot ol { / h }
/var/jail/execpath/bin/bash ol { / h } # this is my jail
/bin/bash ol {/ h } # tried even this......

I still get this annoying message:

Sep 24 20:00:24 ghoul kernel: grsec: attempt to load writable library[16:07:477480] by (bash:531) UID(0) EUID(0), parent (bash:406) UID(0) EUID(0)

after executing chroot.
Without grsec all works fine.

I write this, because I want to assign limits and deny ability of creating network-sockets for a process that runs from chroot-ed jail.

Any ideas how to do it?
marek
 
Posts: 2
Joined: Sat Sep 21, 2002 4:05 pm

Postby spender » Wed Sep 25, 2002 7:30 pm

do a find -inum 477480, and find what library it's trying to load. Whatever library it is, it is writable by a regular root user on the system (meaning in your ACL for /, write access is allowed to it). The user (we're assuming it's an attacker) can replace that library and get your privileged program to execute its code.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to RBAC policy development

cron