grsecurity forums

[HiddenUser]

OK. What would I loose if I swap from the debian kernel source to a vanilla ones ? From a security or stability perspective, because its a productional server enviroment.

[spender]

I run Debian myself with a grsecurity-patched vanilla kernel. You won't have any problems.

-Brad

[HiddenUser]

Hi,

I compiled a few different kernels to check which features stop sw-engine-cgi from being managed. It seems its a problem with the proc restrictions from grsecurity, so I disabled it for the group sw-cp-server. Correct me if I am wrong, but this mean that all users in psaadm have now the same rights as they would have without the patch ? Is there something you would add from a security perspective ?

Code: Select all

CONFIG_GRKERNSEC_PROC_GID=1001
CONFIG_GRKERNSEC_PROC_USERGOUP=y
CONFIG_GRKERNSEC_PROC=y

[spender]

It just means that process can view all processes on the system and access network related information. So as far as that particular feature is concerned, it would act like a normal system.

-Brad

[HiddenUser]

I want to say thank you for the time you spend, it seems that the problem is fixed. I decided to create an additional group where I put all users in to need the access to proc. Beside tha I recognize a other problem which appears in different segault.

Code: Select all

Jul 11 20:57:17 alpha kernel: [12221.297480] erlexec[2271]: segfault at 4 ip 000003b6736cfa56 sp 000003ffffffa170 error 6 in libc-2.11.3.so
Jul 12 09:30:48 alpha kernel: [57432.390355] erlexec[9159]: segfault at 4 ip 000003bdf2356a56 sp 000003ffffff9bb0 error 6 in libc-2.11.3.so[3bdf22ba000+159000]

Jul 11 20:57:17 alpha kernel: [12221.297480] pop3login[9566]: segfault at 0 ip 000002d872c94cf2 sp 000003dc19606788 error 4 in libc-2.11.3.so[2d872c19000+159000]
Jul 13 16:26:44 alpha kernel: [168788.710922] pop3login[9566]: segfault at 0 ip 000002d872c94cf2 sp 000003dc19606788 error 4 in libc-2.11.3.so[2d872c19000+159000]

Jul 12 14:56:12 alpha kernel: [76956.461198] php5-cgi[22679]: segfault at 3a96b772ff8 ip 00000000006ab3b3 sp 000003a96b773000 error 6 in php5-cgi[400000+6fa000]
Jul 12 14:56:24 alpha kernel: [76968.176999] php5-cgi[22715]: segfault at 3999fd9ffe8 ip 00000000006a3ae0 sp 000003999fda0018 error 6 in php5-cgi[400000+6fa000]
Jul 12 14:56:28 alpha kernel: [76972.974768] php5-cgi[22717]: segfault at 3bfc702dfc8 ip 00000000006d5b91 sp 000003bfc702dfd0 error 6 in php5-cgi[400000+6fa000]
Jul 12 14:56:44 alpha kernel: [76988.422946] php5-cgi[22761]: segfault at 3e55af50f98 ip 0000032855bf2110 sp 000003e55af50fa0 error 6 in suhosin.so[32855bd9000+24000]
Jul 12 14:57:04 alpha kernel: [77008.187716] php5-cgi[22800]: segfault at 3cb0202ff88 ip 000000000068d728 sp 000003cb0202ff50 error 6 in php5-cgi[400000+6fa000]

Do you have an idea howto manage that, its now and 3.2.22 kernel.

P.S.: I just noticed that I enabled those two features in the new one:

Code: Select all

CONFIG_GRKERNSEC_PROC_MEMMAP_=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y

[HiddenUser]

Hi,

I fixed it by disabling the CONFIG_GRKERNSEC_SYSFS_RESTRICT.

[spender]

Hi,

Could you strace some of these and tell me what files in /sys they were attempting to access? It would help me improve the compatibility of the feature.

-Brad

[HiddenUser]

Hi Brad,

sure but those files will be called adhoc by other processed so it a but hard for me to get the PID (if there is one) before the process is dead.

- erlexec is called from ejabber when starting via init.d
- php5-cgi is called to calling shell scripts
- pop3login is called from a webserver or plesk

Is there any way howto monitor those process as soon as pop simply when they getted accessed because strace seems a bit uncomfortable there. php5-cgi was one of the process which was a bit easier to get because it stay a few seconds in the process viewer.

P.S.:

I just noticed this in syslog, and ejabberd is the programm definitely won´t start if fs_restrict:

Code: Select all

Jul 15 10:15:20 alpha su[23277]: + /dev/console root:ejabberd
Jul 15 10:15:20 alpha kernel: [   34.503896] erlexec[2677]: segfault at 4 ip 0000036d68482a56 sp 000003ffffffa530 error 6 in libc-2.11.3.so[36d683e6000+159000]

php5-cgi:

Code: Select all

setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={60, 0}}, NULL) = 0
write(3, "\1\6\0\1\1\237\1\0Expires: Thu, 19 Nov 198"..., 440) = 440
shutdown(3, 1 /* send */)               = 0
recvfrom(3, "\1\5\0\1\0\0\0\0", 8, 0, NULL, NULL) = 8
recvfrom(3, "", 8, 0, NULL, NULL)       = 0
close(3)                                = 0
open("/dev/urandom", O_RDONLY)          = 3
read(3, "\204\325H\4K\305\v\326", 8)    = 8
close(3)                                = 0
open("/dev/urandom", O_RDONLY)          = 3
read(3, "\17\30f\265g\17\341\343", 8)   = 8
close(3)                                = 0
open("/dev/urandom", O_RDONLY)          = 3
read(3, "\316W\246k\215\5bp", 8)        = 8
close(3)   

P.S.: I am currently operating far beyond the line I understand about unix. So I want to say sorry when I wasting your time with totally useless logs.

[spender]

Use strace -f instead of just strace, it will strace through to all child processes, so you don't have to "catch" one at the right time.

-Brad