grsecurity forums

by **spender** » Wed Apr 23, 2003 9:06 am

Yes, The "?" character matches exactly one character.

As for the possibility of the /etc/shadow.pid thing, it wouldn't be possible because of the way the system is implemented. Plus, it would be incredibly slow. I would recommend using a passwd binary that uses a single /etc/.pwd.lock file.

-Brad

by **Murphy** » Thu Apr 24, 2003 7:52 pm

miha wrote:"grsec: From 64.202.110.30: denied link of /etc/shadow.2910 to /etc/shadow.lock by (passwd:2910) UID(0) EUID(0), parent (bash:21417) UID(502) EUID(502)"

I had the same thing on slackware-9.0
Passwd creates temp. file /etc/shadow.<PID_OF_PASSWD>
I had to enable rw on /etc for passwd to make things work

Question to Brad - is it possible to make such ACL that will work with passwd in described way? We never know what will be the PID of passwd next time you run it.
Default ACL has this - '/dev/tty?? rw', does it mean /dev/tty<ANY_2_LETTERS/DIGITS_HERE>?

Mikhail.

but it wont let me set /etc rw and that doesnt sound safe at all, especially for this box. It's a server and a lot of people use it. Now I can't even run passwd as root after doing gradm -a. It's denied. I'm really lost at this point.

by **miha** » Thu Apr 24, 2003 8:44 pm

Code: Select all: /usr/bin/passwd Xo { /var/run/utmp rw /etc/login.defs r /usr/share/zoneinfo r /usr/lib rx /usr/lib/cracklib_dict.pwi r /usr/lib/cracklib_dict.pwd r /usr/lib/cracklib_dict.hwm r /proc r /lib/security rx /lib rx /etc/shadow rw /etc/passwd rw /etc/pam.d r /etc/nsswitch.conf r /etc/nshadow rw /etc/npasswd rw /etc/ld.so.preload r /etc/ld.so.cache r /etc/.pwd.lock w /etc rw /dev/log rw /usr/bin/passwd x /etc/grsec h / h -CAP_ALL +CAP_CHOWN +CAP_FSETID +CAP_SYS_RESOURCE +CAP_SETGID +CAP_SETUID connect { disabled } bind { disabled } }

This ACL will work on slackware-9.0.

by **Murphy** » Fri Apr 25, 2003 3:18 pm

Thanks a lot. The problem is solved now.

by **spender** » Fri Apr 25, 2003 8:56 pm

BTW, if you're worried about the /etc rw rule, add a /etc/* h rule after the /etc rw rule. This way they will only be able to create new files in /etc, but not modify anything that is already there (minus the other ones you have specified: /etc/shadow, etc)

-Brad

by **Murphy** » Sat Apr 26, 2003 1:11 am

Thanks I did that too. I now have a new problem regarding ftpd. I tried to make my own ACL but it didn't seem to work:

Code: Select all: /usr/sbin/proftpd { /var/run/utmp rw /var/run/wtmp rw /var/log/proftpd.log rw /var/run/proftpd rw /var/log r /proc r /etc/login.defs r /usr/share/zoneinfo r /lib rx /usr/lib rx /usr/lib/cracklib_dict.pwi r /usr/lib/cracklib_dict.pwd r /usr/lib/cracklib_dict.hwm r /etc rx /dev/log rw /usr/sbin/proftpd x /etc/grsec h / /etc/proftpd.conf r -CAP_ALL +CAP_CHOWN +CAP_FSETID +CAP_SYS_RESOURCE +CAP_SETGID +CAP_SETUID }

Does anyone know what I'm doing wrong here? miha, I was wondering if you had an ACL for proftpd to run under Slackware 9? At first I was receiving more error messages, now the only ones I receive are:

grsec: From 64.202.110.30: attempted socket(2,1,0) by (tcpd:17504) UID(0) EUID(0), parent (inetd:6175) UID(0) EUID(0)

grsec: From 64.202.110.30: attempted socket(2,1,6) by (proftpd:17504) UID(0) EUID(99), parent (inetd:6175) UID(0) EUID(0)

Any help on this issue would be greatly appreciated. Thanks.

by **spender** » Sat Apr 26, 2003 12:20 pm

That shouldn't happen. The only time you should get socket denied errors is if you have some IP ACLs set up for that subject. Are you also using the other socket restrictions in grsecurity, the per-GID ones?

-Brad

by **Murphy** » Sat Apr 26, 2003 4:12 pm

I never setup any IP ACLs, I simply used the "high security" setting in the kernel configuration. The only ACLs I've added are for /usr/bin/passwd and the one above for /usr/sbin/proftpd, which didn't work obviously.[/i]

grsecurity forums

Cannot lock the password file; try again later.