sshd - denied pid/mem access

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

sshd - denied pid/mem access

Postby jlaurmi » Sun Feb 23, 2003 1:20 pm

I get the following errors every time I log in to my system through ssh.

Feb 23 17:03:07 oblivion kernel: grsec: From xxx.xxx.xxx.xxx: denied access to pid/mem entry of (sshd:27612) UID(0) EUID(0), parent (sshd:564) UID(0) EUID(0) by (sshd:27612) UID(0) EUID(0), parent (sshd:564) UID(0) EUID(0)
Feb 23 17:03:07 oblivion kernel: grsec: From xxx.xxx.xxx.xxx: denied access to pid/mem entry of (sshd:27612) UID(0) EUID(0), parent (sshd:564) UID(0) EUID(0) by (sshd:27612) UID(0) EUID(0), parent (sshd:564) UID(0) EUID(0)

sshd's acl entry:

# the d flag protects /proc fd and mem entries for sshd
/usr/sbin/sshd d {
/dev/log rw
/var/log/wtmp w
/var/log/lastlog rw

bind {
xxx.xxx.xxx.xxx:22 stream tcp
}
connect {
xxx.xxx.xxx.xxx/xx stream dgram tcp udp
}
}

It's obvious that sshd's subject flag has something to do with this, but it isn't documented anywhere. I just want to know whether I can safely remove the d flag or how can I stop sshd from accessing pid/mem file.

--
Jari Laurila
jlaurmi
 
Posts: 9
Joined: Fri Jun 28, 2002 7:46 am

Postby spender » Sun Feb 23, 2003 4:13 pm

What version of OpenSSH do you use? I've gotten one other report of this, but it does not happen on any of my systems, which are running 3.5p1 on debian.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby jlaurmi » Mon Feb 24, 2003 10:29 am

I am using 3.5p1 on RedHat 7.3. Could it be some sshd option causing this?
My sshd is using standard settings documented in sshd_config man page.
Kernel version is 2.4.20 and grsec version is 1.9.9b.

--
Jari Laurila
jlaurmi
 
Posts: 9
Joined: Fri Jun 28, 2002 7:46 am

Postby TGKx » Mon Feb 24, 2003 12:23 pm

My money is on some kind of wierd pam issue. Down with pam :x !
TGKx
 
Posts: 50
Joined: Wed Feb 19, 2003 4:39 am

Postby spender » Mon Feb 24, 2003 3:05 pm

The only thing i can forsee being the culprit is this:

from ssh_prng_cmds.in:

"ls -alni /proc" @PROG_LS@ 0.02

That would cause them to enter the fd directory, and upon listing it would generate the alert.

Try putting your sshd in learning mode, and check for large numbers of accesses to /proc that would confirm this idea.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby jlaurmi » Mon Feb 24, 2003 3:20 pm

I did some debugging and found out what caused those messages.

strace from debug session:
readlink("/proc/self/fd/9", "/dev/pts/4", 4095) = 10
readlink("/proc/self/fd/0", "/dev/pts/2", 4095) = 10

These operations generate the misleading "denied access to pid/mem entry" messages. I would still like to know how to fix this though.

--
Jari Laurila
jlaurmi
 
Posts: 9
Joined: Fri Jun 28, 2002 7:46 am

Postby jlaurmi » Mon Feb 24, 2003 3:54 pm

The problem doesn't seem to relate to pam either because I compiled sshd from source without pam support and it still read the same files.
jlaurmi
 
Posts: 9
Joined: Fri Jun 28, 2002 7:46 am

Postby jlaurmi » Mon Feb 24, 2003 4:37 pm

I started to examine the libraries which are used by sshd and only place where the string "/proc/self/fd" was found was libc.so.6. I have reproduced the bug on two systems. One is running RedHat 7.3 and the other RedHat 8.0. glibc versions are 2.2.5 and 2.2.93.
--
Jari Laurila
jlaurmi
 
Posts: 9
Joined: Fri Jun 28, 2002 7:46 am

big 'ssh' problem

Postby Xeper » Tue Sep 23, 2003 4:40 pm

Like the topic said its just a 'ssh' problem, i cannot login on any machine as user:

xeper@gateway:~$ ssh -l xeper `cat Striker.txt`
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password,keyboard-interactive).

I didnt have a chance to type a password its just do all automatic :cry:

If i use (dsa)-keys then i've no problem anymore.
Xeper
 
Posts: 5
Joined: Thu Jun 05, 2003 5:55 pm


Return to grsecurity support