permission denied when doing "gradm -D"

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

permission denied when doing "gradm -D"

Postby filigran » Sat Mar 01, 2003 12:27 pm

I'm new to grsec and gradm, so I don't really know how to solve this.. I looked around the forum posts but didn't find anything similar so here it goes:

When I ran 'gradm -E' it executed without problems, but I can't save files or anything, guess I didn't have enough knowledge.. I thought the default ACL file had thre right permissions, but I guess not. Now when I do 'gradm -D' (as root) it asks for my password, and after I type that in and press Enter it says:

grsec: denied open of /proc/sys/kernel/grsecurity/acl for writing by (gradm:8147) UID(0) EUID(0), parent (bash:17588) UID(0) EUID(0)
Could not open /proc/sys/kernel/grsecurity/acl
open: permission denied

I don't know what to do.. is it gradm? Or is it the grsecurity options I compiled in into my kernel?

I'm using Debian 3.0rc1, kernel 2.4.20 and grsec 1.9.9c and gradm 1.7b. I guess I could reboot and see if it works, but I don't know if grsec/gradm is in a startupscript somewhere, so I don't really want to.. perhaps it locks my comp and I'm unable to log in at all.

//filigran - http://filigran.no-ip.org - filigran-@spray.se
filigran
 
Posts: 2
Joined: Sat Mar 01, 2003 12:17 pm

Postby TGKx » Sat Mar 01, 2003 3:26 pm

Grsec doesnt enable itself by default, so you are safe rebooting it will clear out your acls.

What this looks like to me is that your acl didnt even give enough rights to gradm to disable itself ;). I'm not ultra familiar w/ how grsecurity interfaces with gradm (havent looked over the source yet). But did you do a make install for gradm? If its installed in sbin and it sets up its /etc/grsec directory properly you shouldnt have these problems.

If you did a proper install and you typed the right password ( :x ) you might want to set /proc in your / { } rule to rwx. Thats what I have mine set to and that should allow gradm to communicate with grsec.

Hope this helps you some.

-TGK
TGKx
 
Posts: 50
Joined: Wed Feb 19, 2003 4:39 am

Postby spender » Sat Mar 01, 2003 11:18 pm

gradm can be executed from anywhere, and will automatically set up an ACL for itself, that disallows it access to everything but the /proc/sys/kernel/grsecurity/acl file. What you must have done was done a make install, which installed gradm in /sbin, but you did a ./gradm -E from the gradm source dir, so only the gradm in the source dir would be able to disable the system.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby filigran » Mon Mar 03, 2003 10:05 am

Yeah, I ran "./gradm -E" in the source dir :) Perhaps I should read a little more about it before I try to start it the next time ;)

Thanks for your help.

//filigran - http://filigran.no-ip.org - filigran-@spray.se
filigran
 
Posts: 2
Joined: Sat Mar 01, 2003 12:17 pm

gradm issue

Postby pgpkeys » Sat Mar 22, 2003 3:48 am

I have a similar issue in that I get errors. But in this case after doing a make make install and then setting the system password I get errors about invalid password for every subsequent command that requires a password.

And yes. I am damn sure it's the right password. I've evne tried deleting the /etc/grsec directory and retrying an install of gradm. Also a no go.

David D.W. Downey
pgpkeys
 
Posts: 1
Joined: Sat Mar 22, 2003 3:45 am


Return to grsecurity support

cron