grsecurity forums

by **jlaurmi** » Sun Feb 23, 2003 1:20 pm

I get the following errors every time I log in to my system through ssh.

Feb 23 17:03:07 oblivion kernel: grsec: From xxx.xxx.xxx.xxx: denied access to pid/mem entry of (sshd:27612) UID(0) EUID(0), parent (sshd:564) UID(0) EUID(0) by (sshd:27612) UID(0) EUID(0), parent (sshd:564) UID(0) EUID(0)
Feb 23 17:03:07 oblivion kernel: grsec: From xxx.xxx.xxx.xxx: denied access to pid/mem entry of (sshd:27612) UID(0) EUID(0), parent (sshd:564) UID(0) EUID(0) by (sshd:27612) UID(0) EUID(0), parent (sshd:564) UID(0) EUID(0)

sshd's acl entry:

# the d flag protects /proc fd and mem entries for sshd
/usr/sbin/sshd d {
/dev/log rw
/var/log/wtmp w
/var/log/lastlog rw

bind {
xxx.xxx.xxx.xxx:22 stream tcp
}
connect {
xxx.xxx.xxx.xxx/xx stream dgram tcp udp
}
}

It's obvious that sshd's subject flag has something to do with this, but it isn't documented anywhere. I just want to know whether I can safely remove the d flag or how can I stop sshd from accessing pid/mem file.

--
Jari Laurila

by **spender** » Sun Feb 23, 2003 4:13 pm

What version of OpenSSH do you use? I've gotten one other report of this, but it does not happen on any of my systems, which are running 3.5p1 on debian.

-Brad

by **jlaurmi** » Mon Feb 24, 2003 10:29 am

I am using 3.5p1 on RedHat 7.3. Could it be some sshd option causing this?
My sshd is using standard settings documented in sshd_config man page.
Kernel version is 2.4.20 and grsec version is 1.9.9b.

--
Jari Laurila

by **TGKx** » Mon Feb 24, 2003 12:23 pm

My money is on some kind of wierd pam issue. Down with pam

!

by **spender** » Mon Feb 24, 2003 3:05 pm

The only thing i can forsee being the culprit is this:

from ssh_prng_cmds.in:

"ls -alni /proc" @PROG_LS@ 0.02

That would cause them to enter the fd directory, and upon listing it would generate the alert.

Try putting your sshd in learning mode, and check for large numbers of accesses to /proc that would confirm this idea.

-Brad

by **jlaurmi** » Mon Feb 24, 2003 3:20 pm

I did some debugging and found out what caused those messages.

strace from debug session:
readlink("/proc/self/fd/9", "/dev/pts/4", 4095) = 10
readlink("/proc/self/fd/0", "/dev/pts/2", 4095) = 10

These operations generate the misleading "denied access to pid/mem entry" messages. I would still like to know how to fix this though.

--
Jari Laurila

by **jlaurmi** » Mon Feb 24, 2003 3:54 pm

The problem doesn't seem to relate to pam either because I compiled sshd from source without pam support and it still read the same files.

by **jlaurmi** » Mon Feb 24, 2003 4:37 pm

I started to examine the libraries which are used by sshd and only place where the string "/proc/self/fd" was found was libc.so.6. I have reproduced the bug on two systems. One is running RedHat 7.3 and the other RedHat 8.0. glibc versions are 2.2.5 and 2.2.93.
--
Jari Laurila

by **Xeper** » Tue Sep 23, 2003 4:40 pm

Like the topic said its just a 'ssh' problem, i cannot login on any machine as user:

xeper@gateway:~$ ssh -l xeper `cat Striker.txt`
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password,keyboard-interactive).

I didnt have a chance to type a password its just do all automatic :cry:

If i use (dsa)-keys then i've no problem anymore.

grsecurity forums

sshd - denied pid/mem access

sshd - denied pid/mem access

big 'ssh' problem