Strange things with non-auth roles and role inheritance

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Strange things with non-auth roles and role inheritance

Postby fd0 » Fri Jun 06, 2003 5:42 pm

Hi,

While testing grsec2 I noticed that special roles without passwords doesn't seem to work:

role test sN

Testing it as my user, which has role_transitions set to test:
$ /sbin/gradm -n test
Invalid password.

in the logs:
kernel: grsec: special role test failure for (gradm:32242) uid/euid:1000/1000 gid/egid:1000/1000, parent (bash:922) uid/euid:1000/1000 gid/egid:1000/1000

There is of course no password set for 'test'.
Then I tried to use that role as an auth-role by removing the N and setting a password for test before reloading the acl-system, but now the acl-system refuses to reload or work:

# gradm -R
Password:
You are using incompatible versions of gradm and grsecurity.

log:
kernel: grsec: From 192.168.101.52: Failed reload of grsecurity 2.0 for (gradm:10962) uid/euid:0/0 gid/egid:0/0, parent (bash:9160) uid/euid:0/0 gid/egid:0/0

From now on the acl-system is disabled completely and I'm unable to activate it again:

# gradm -E
You are using incompatible versions of gradm and grsecurity.
Please update both versions to the ones available on the website.

# gradm -D
Password:
Your request was ignored, please check the kernel logs for more info.
Invalid password.

logs:
kernel: grsec: From 192.168.101.52: Unable to load grsecurity 2.0 for (gradm:97) uid/euid:0/0 gid/egid:0/0, parent (bash:9160) uid/euid:0/0 gid/egid:0/0 ACL system may already be enabled.
grsec: From 192.168.101.52: ignoring shutdown for disabled acl for (gradm:31505) uid/euid:0/0 gid/egid:0/0, parent (bash:9160) uid/euid:0/0 gid/egid:0/0

After setting the 'test'-role N, one can reactivate it and it works the normal way, except for the ability to use the non-auth-role test, as described above.



The second is that a role with G set seems to inherit some things from the default role. I have a role for my user ("fd0") set up, where /tmp is r. When this role is used without G, /tmp really is r, but as soon as I set G /tmp is rw, according to the default-role (verified that by setting /tmp r in the default role and it was r when logging in as my user).

AFAIK if a user role exists for a particular user, that role and only that role is applied. Is that right (I'm a bit confused right now ;)?

- Alexander
fd0
 
Posts: 6
Joined: Fri Jun 06, 2003 8:50 am

Postby spender » Fri Jun 06, 2003 6:43 pm

Can you add -DGRADM_DEBUG to the CFLAGS in gradm, run that against your ACL set, and mail me both your ACL set and the output of this debugging?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby fd0 » Fri Jun 06, 2003 7:11 pm

Just sent the requested information to you.

Thanks,

- Alexander
fd0
 
Posts: 6
Joined: Fri Jun 06, 2003 8:50 am

Postby spender » Fri Jun 06, 2003 7:12 pm

whoops, can you resend? I accidentally deleted it thinking it was an automated mail from the forums.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby fd0 » Fri Jun 06, 2003 7:28 pm

Done.

- Alexander
fd0
 
Posts: 6
Joined: Fri Jun 06, 2003 8:50 am

role without auth and the like

Postby pappy » Fri Jun 13, 2003 6:41 pm

hi Alex,

did you notice that you set transition only from user fd0?

also, when the password is set, one can actually enable the role without giving the password, but you must set the password once.

i think, this is for scripts or something like this...

you cannot test it from your root account when you say, that transition should only be possible from user fd0


HTH, see you in irc,

Alex
pappy
 
Posts: 3
Joined: Wed May 14, 2003 9:47 am

Postby spender » Sun Jun 15, 2003 3:38 pm

There was a problem with passing special roles to the kernel (basically the first one copied correctly, but the rest would not, and the ACL system wouldn't load) that has been resolved in current CVS.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby fd0 » Wed Jun 25, 2003 5:30 pm

I just tried with rc1, it works now. The new modes are _really_ cool, thanks Brad!

- Alexander
fd0
 
Posts: 6
Joined: Fri Jun 06, 2003 8:50 am


Return to grsecurity support

cron