grsecurity forums

by **franz** » Mon Mar 21, 2011 8:01 am

Hi,
after sudo upgrade from 1.7.4.p7 to 1.8.0 my grsec policy does't work anymore (subject sudo).
After reading sudo changelog I see that the module possibility is one of the major changes, anyway I still use the old way with /etc/sudoers and it does work when grsec is disabled.

Error in messages:grsec: (franz:U:/usr/bin/sudo) denied socket(netlink,raw,0) by /usr/bin/sudo[sudo:4467] uid/euid:666/0 gid/egid:100/100, parent /bin/bash[bash:4400] uid/euid:666/666 gid/egid:100/10

Error from console:
[franz@spunk ~]$ sudo su -
sudo: unable to change to sudoers gid: Operationen inte tillåten (Operation not allowed)

Tried to rebuild rules with full learning but same with new rules
Any suggestion?

/franz

by **spender** » Mon Mar 21, 2011 8:38 am

Hi Franz,

There should be another post on the forums about this very issue, but the change you need to make is to add:

Code: Select all: sock_allow_family netlink

to your /usr/bin/sudo subject. The description of "sock_allow_family" is included in the default policy file in the gradm source. Make sure you're running the latest gradm/grsec as there were some bugs in the initial implementation of it that would cause the wrong socket family to be learned and may be the problem you experienced.

-Brad

by **franz** » Tue Mar 22, 2011 3:04 am

Hi,

well, I do already have "sock_allow_family netlink" in sudo subject for my user:

subject /usr/bin/sudo o {
user_transition_allow franz root
group_transition_allow users

/ h
/bin h
/bin/su x
/dev h
/dev/log rw
/dev/pts
/dev/tty* rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/pam.d
/etc/pam.d/other r
/etc/pam.d/sudo r
/etc/ppp h
/etc/samba/smbpasswd h
/etc/shadow- h
/etc/sudoers r
/etc/ssh h
/lib rx
/lib/modules h
/proc
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/stat r
/proc/sys/kernel/ngroups_max r
/usr h
/usr/bin/truecrypt x
/usr/bin/sudo x
/usr/lib rx
/usr/lib/locale/locale-archive r
/usr/share/locale/locale.alias r
/usr/share/locale/sv/LC_MESSAGES/libc.mo r
/usr/lib/gconv/gconv-modules r
/usr/share/locale r
/var h
/var/lib/sudo
/var/lib/sudo/franz
/var/lib/sudo/franz/* rwc
/var/run
/var/run/utmp r
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_RESOURCE
bind disabled
connect disabled
sock_allow_family netlink
}

Problem appears only if running sudo 1.8 not 1.7.4.p6

Console:
[franz@spunk ~]$ sudo su -
sudo: unable to change to sudoers gid: Operation not allowed

Messages:
grsec: (franz:U:/usr/bin/sudo) change to gid 0 denied for /usr/bin/sudo[sudo:21210] uid/euid:666/0 gid/egid:100/100, parent /bin/bash[bash:18131] uid/euid:666/666 gid/egid:100/100

/franz

by **spender** » Tue Mar 22, 2011 7:38 am

Ok, what you just pasted though is a different error than the original post.

Change this line:

Code: Select all: group_transition_allow users

to:

Code: Select all: group_transition_allow users root

-Brad

by **franz** » Mon Mar 28, 2011 1:19 am

Did rebuld all policies and as you said the "group_transition_allow users root" was the key.
Thanks!

/franz

by **PingLord** » Mon Sep 22, 2014 9:45 am

Hello,

I have kind of the same problem.The same build of grsec with kernel is across 12 servers.This is the only server where i cannot do

Code: Select all: sudo su -

with my user with RBAC enabled . The logs show the following :

Code: Select all: (sebastian:U:/usr/bin/sudo) change to uid 502 denied for /usr/bin/sudo[sudo:865] uid/euid:502/0 gid/egid:502/502, parent /bin/bash[bash:29671] uid/euid:502/502 gid/egid:502/502

The console for the user shows the following :

Code: Select all: sudo: setresuid(user_uid, user_uid, ROOT_UID): Operation not permitted

The permissions on the user :

Code: Select all: role sebastian u # Role: sebastian subject / { / h /bin x /dev h /dev/null w /dev/pts rw /dev/tty rw /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/ppp h /etc/samba/smbpasswd h /etc/shadow h /etc/shadow- h /etc/ssh h /home h /home/sebastian r /lib64 rx /lib64/modules h /opt h /opt/rh/mysql55/root/usr/lib64 /proc /proc/bus h /proc/filesystems r /proc/kallsyms h /proc/kcore h /proc/meminfo r /proc/modules h /proc/slabinfo h /proc/sys h /selinux /tmp wc /usr h /usr/bin rx /usr/lib h /usr/lib/locale/locale-archive r /usr/lib64 h /usr/lib64/gconv/gconv-modules.cache r /usr/share h /usr/share/terminfo r -CAP_ALL +CAP_SETUID bind disabled connect 0.0.0.0/0 stream tcp sock_allow_family netlink }

The sudo subject for the user :

Code: Select all: # Role: sebastian subject /usr/bin/sudo o { user_transition_allow root group_transition_allow root sebastian / h /bin h /bin/su /dev h /dev/console /dev/log rw /dev/pts /dev/tty rw /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/pam.d /etc/pam.d/other r /etc/pam.d/sudo r /etc/pam.d/system-auth-ac r /etc/ppp h /etc/samba/smbpasswd h /etc/shadow h /etc/shadow- h /etc/ssh h /lib64 rx /lib64/modules h /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /selinux /usr h /usr/bin h /usr/bin/sudo x /usr/lib h /usr/lib/locale/locale-archive r /usr/lib64 rx /usr/libexec h /usr/libexec/sudoers.so rx /usr/share h /usr/share/locale r -CAP_ALL +CAP_SETGID +CAP_SETUID +CAP_SYS_RESOURCE +CAP_AUDIT_WRITE bind disabled connect disabled sock_allow_family netlink }

Any help appreciated.

by **spender** » Mon Sep 22, 2014 9:47 pm

Code: Select all: user_transition_allow root

needs to be changed to:

Code: Select all: user_transition_allow root sebastian

as evidenced by the log message.

Thanks,
-Brad

by **PingLord** » Tue Sep 23, 2014 5:42 am

It worked.Thank you very much.Sorry for not figuring it out.

Thank you again

grsecurity forums

sudo 1.8.0

sudo 1.8.0

Re: sudo 1.8.0

Re: sudo 1.8.0

Re: sudo 1.8.0

Re: sudo 1.8.0

Re: sudo 1.8.0

Re: sudo 1.8.0

Re: sudo 1.8.0