grsec (high) and wget

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

grsec (high) and wget

Postby manta » Wed Apr 09, 2003 10:21 am

i always get segmention fault with wget.

here is the strace resoult of it.
http://www.dhcp.nu/wget.txt

i compiled kernel 2.4.20 with grsec. grsec is on high mode.

any idea what to do?
manta
 
Posts: 5
Joined: Wed Apr 09, 2003 10:17 am

Re: grsec (high) and wget

Postby PaX Team » Wed Apr 09, 2003 1:10 pm

manta wrote:i always get segmention fault with wget.
1. what version of grsec?
2. what version of wget? (the strace output is weird a bit, for example my wget 1.8.2 doesn't call semop/semget/ipc_subcall, maybe you could put the wget binary on the web too?)
3. try to disable PaX features with chpax and see if anything helps.
4. ultimately, you can try to debug it with gdb and see what happens exactly (for now it looks like an application bug).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby manta » Wed Apr 09, 2003 3:14 pm

its the latest version of grsec.
and 1.8.2 of wget.
i have tried to recompile wget, but doesn't help.
seems like its something to do with the random feutures of grsec that crashes wget.

and pax, well..
i thought that was for X?
i only use console.
manta
 
Posts: 5
Joined: Wed Apr 09, 2003 10:17 am

Postby manta » Wed Apr 09, 2003 3:25 pm

this is my setup of grsec. can you see anything here that can cause wget to crash?

Address Space Protection:
[*] Enforce non-executable pages
[*] Disable privileged I/O
[*] Remove addresses from /proc/pid/maps
[*] Hide kernel symbols

ACL options:
[*] Hide kernel processes

Filesystem Protections:
[*] Proc restrictions
[*] Restrict to user only
[*] Additional restrictions
[*] Linking restrictions
[*] FIFO restrictions

Kernel Auditing:
[*] Exec logging
[*] Resource logging

Executable Protections:
[*] Dmesg(8) restriction
[*] Randomized PIDs

Network Protections:
[*] Larger entropy pools
[*] Truly random TCP ISN selection
[*] Randomized IP IDs
[*] Randomized TCP source ports
[*] Randomized RPC XIDs
[*] Altered Ping IDs

Sysctl support:
[*] Sysctl support
manta
 
Posts: 5
Joined: Wed Apr 09, 2003 10:17 am

Postby PaX Team » Wed Apr 09, 2003 4:45 pm

manta wrote:and 1.8.2 of wget. i have tried to recompile wget, but doesn't help.
can you put it on the web?
seems like its something to do with the random feutures of grsec that crashes wget.
try 'chpax -r' then and see if it works. btw, chpax is for controlling PaX features for any app that needs it, the XFree86 server is just one example (and there's actually a solution that makes it run with all of PaX active on it, but i digress).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby manta » Wed Apr 09, 2003 6:50 pm

well. belive it or not
the wget file under /usr/local/bin segfaults.
the wget file under /usr/bin doesn't.
i just copied it to /usr/local/bin, and everything works fine.
but this version of wget is 1.7.

weird
manta
 
Posts: 5
Joined: Wed Apr 09, 2003 10:17 am

Postby manta » Thu Apr 10, 2003 10:52 am

well.
as a last update, i recently installed wget 1.8, and everything works fine.
guess it was something to do with 1.8.1 and 1.8.2. none of them worked.
manta
 
Posts: 5
Joined: Wed Apr 09, 2003 10:17 am


Return to grsecurity support