grsecurity forums

Mar 8 20:14:14 src@soup grsec: From 64.218.236.121: exec of /usr/bin/passwd (passwd ) by (bash:10812) UID(1006) EUID(1006), parent (bash:6702) UID(1006) EUID(1006)
Mar 8 20:14:17 src@soup grsec: From 64.218.236.121: denied open of /etc/.pwd.lock for writing by (passwd:10812) UID(0) EUID(0), parent (bash:6702) UID(1006) EUID(1006)
Mar 8 20:14:17 src@soup grsec: From 64.218.236.121: denied access to hidden file /usr/share/zoneinfo/US/Central by (passwd:10812) UID(0) EUID(0), parent (bash:6702) UID(1006) EUID(1006)

/usr/bin/passwd o {
/var/run/utmp rw
/usr/share/zoneinfo/US/Central r
/proc
/lib/libnss_compat-2.2.5.so rx
/lib/libnsl-2.2.5.so rx
/lib/libcrypt-2.2.5.so rx
/lib/libc-2.2.5.so rx
/lib/ld-2.2.5.so x
/etc rwx
/etc/shadow rw
/etc/passwd rw
/etc/nsswitch.conf r
/etc/login.defs r
/etc/ld.so.cache r
/etc/* h
/dev/tty rw
/dev/log rw
/usr/bin/passwd x
/ h
-CAP_ALL
+CAP_CHOWN
+CAP_FSETID
+CAP_SETUID
+CAP_SYS_RESOURCE
connect {
disabled
}
bind {
disabled
}
}

can someone please tell me what is going on here? I'm running one of the newest cvs's. .pwd.lock is a temporary file that passwd creates and the other file is allowed at the top of the acl.

I don't think you are allowed to have both /etc rwx and /etc/* h (or rather rwx will apply to the directory, but all files will be hidden)
And since /usr/share/zoneinfo/US/Central is accessed through /etc/localtime that one is denied aswell...

Grsecurity isnt supposed to work on symbolic links (/etc/localtime) and the method i was using to handle /etc was a new feature added in febuary. The functionality of the globbing was only supposed to add entries not overwrite ones. So /etc rwx allows anything read write and execute, the ones i explicity state override that, and /etc/* h hides everything that is existing in the directory. The end result is that only non existing files get rwx.


The /etc/localtime though is a good point I'm glad you pointed it out. It appears that the globbing is picking up on symbolic links and leading to handling them improperly?

TGKx wrote:Grsecurity isnt supposed to work on symbolic links (/etc/localtime) and the method i was using to handle /etc was a new feature added in febuary. The functionality of the globbing was only supposed to add entries not overwrite ones. So /etc rwx allows anything read write and execute, the ones i explicity state override that, and /etc/* h hides everything that is existing in the directory. The end result is that only non existing files get rwx.

Ahh I see.

TGKx wrote:The /etc/localtime though is a good point I'm glad you pointed it out. It appears that the globbing is picking up on symbolic links and leading to handling them improperly?

I've been reading through the source to gradm-1.7b and think I've found the problem, when checking for duplicate entries file names are compared, but it is the inodes that match. I don't know the full impact of this (I may have misinterpreted the source in some way), but it could be the reason. Does it work if you set /etc/localtime r instead?

Though the lock file is still a problem...

Putting /etc/localtime in the acl might work but since none of grsecurity is supposed to work on symbolic links im going to hold off and wait till someone takes a look at whats actually goin wrong. Looks like 2 misc. bugs that weaseled their way into the CVS when the globbing behavior got played with is my bet.

Both bugs are probably in gradm.

Thanks

-TGK

Try the current CVS of gradm. I finally got around to updating the duplicate checking.

-Brad

Okay will try again and post back in a few hrs thanks

-TGK

Duplicate ACL entry found for "/etc/issue" on line 642 of /etc/grsec/acl.
"/etc/issue" references the same object as the following object(s):
/etc/issue
specified on an earlier line.The ACL system will not load until this error is fixed.

*snip from acl*

/etc rw
/etc/mtab rw
/etc/ld.so.cache r
642 /etc/* h


Nope no go, different error now. Also, it might make some sense to put some reporting into gradm so when you do a -R instead of a -E when it has been -D'd, it will say it ignored reload command. Otherwise the only way to tell wtf happened is by reading the log file and it may lead some people to leave their shields down unwittingly.

-TGK

When did you check out that version? I made some changes to the CVS last night.

-Brad

I updated the gradm about 10 minutes before my post time, so whatever that is -10 min. (not sure which timezone you are in). I didnt update the grsecurity because it did not appear that any changes had been made in the changelog that would have to do with this issue. I believe my last update for that was after the supression fix.

If you like I can try getting the newest of both when I get home this evening and can let you know.

-TGK

i've just put the finishing touches on grsecurity/gradm. I'm doing some testing right now. You can test it out as well. Check out both grsecurity and gradm, you'll notice I implemented the additional userspace verbosity regarding kernel authentication that you requested.

-Brad

root@soup:~# gradm -E
Duplicate ACL entry found for "/etc/issue" on line 642 of /etc/grsec/acl.
"/etc/issue" references the same object as the following object(s):
/etc/issue
specified on an earlier line.The ACL system will not load until this error is fixed.

Same error, the globbing doesnt seem to be working properly still. I havent changed the ACL so you can refer above. This is with newest CVS of both.

BTW, is there some reason all the acl'd daemons i have going are enclosed in brackets?

nobody 10380 0.0 0.1 12532 916 ? S 01:23 0:00 [in.identd]
nobody 30487 0.0 0.1 12532 916 ? S 01:23 0:00 [in.identd]
nobody 25772 0.0 0.1 12532 916 ? S 01:23 0:00 [in.identd]
nobody 23515 0.0 0.1 12532 916 ? S 01:23 0:00 [in.identd]
nobody 14852 0.0 0.1 12532 916 ? S 01:23 0:00 [in.identd]
nobody 19179 0.0 0.1 12532 916 ? S 01:23 0:00 [in.identd]
nobody 7655 0.0 0.1 12532 916 ? S 01:23 0:00 [in.identd]
mysql 18296 0.0 0.6 26772 3400 ? S Mar18 0:00 [mysqld]
mysql 1457 0.0 0.6 26772 3400 ? S Mar18 0:00 [mysqld]
mysql 3952 0.0 0.6 26772 3400 ? S Mar18 0:00 [mysqld]
tgk 24424 0.0 0.2 5468 1512 ? S Mar18 0:00 [sshd]

-TGK

you don't have any acls for stuff in /etc after the /etc/* line do you?

-Brad

also, the brackets are caused by that new ptrace patch

-Brad

Here is the entire offending bit from the 642 error. Does the / entry count as an additional?

/bin/mount o {
/proc/filesystems r
/lib/libc-2.2.5.so rx
/lib/ld-2.2.5.so x
/etc rw
/etc/mtab rw
/etc/ld.so.cache r
/etc/* h
/dev/null rw
/dev/hd* r
/dev/fd0 r
/bin/mount x
/
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_SYS_RAWIO
+CAP_SYS_ADMIN
connect {
disabled
}
bind {
disabled
}
}