nscd

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

nscd

Postby aiwntrmute » Wed Dec 10, 2003 1:25 pm

We are using Redhat Enterprise Linux 3.0. I just installed a vanilla kernel with grsec.
Kernel = 2.4.23, Grsec = 1.9.13
I've compiled grsecurity with medium security. For some reason nscd is kept being killed by grsecurity. This has never happened with previous redhat versions, redhat 7,8,9.

Here is the last few lines of strace output of nscd:
<snip>
open("/var/run/nscd.pid", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=6, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4666f000
read(3, "16187\n", 4096) = 6
close(3) = 0
munmap(0x4666f000, 4096) = 0
kill(16187, SIG_0) = -1 ESRCH (No such process)
time(NULL) = 1071077187
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x467d50c8) = 21412
exit_group(0) = ?
<snip>

If anyone has suggestions in regards of fixing this or if there's a way to tell grsecurity to ignore monitoring specific programs like nscd.

Thank You,
Walter.
aiwntrmute
 
Posts: 11
Joined: Tue Jul 22, 2003 1:36 pm

update

Postby aiwntrmute » Wed Dec 10, 2003 4:00 pm

I went ahead and installed grsecurity kernel with "high" security which includes pax.
Now when nscd starts up, only the child processes get killed while the parent stays running.
So in a way it kinda works now, except there's only one nscd process now.

Walter.
aiwntrmute
 
Posts: 11
Joined: Tue Jul 22, 2003 1:36 pm

Re: update

Postby PaX Team » Wed Dec 10, 2003 4:16 pm

aiwntrmute wrote:I went ahead and installed grsecurity kernel with "high" security which includes pax.
Now when nscd starts up, only the child processes get killed while the parent stays running.
So in a way it kinda works now, except there's only one nscd process now.
can you post any relevant syslogs please (both from PaX and grsec)? the strace in your first message doesn't really point to any error, at least the main thread didn't get killed (which would be interesting given that the non-executable page stuff is not enabled at the middle level).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby aiwntrmute » Wed Dec 10, 2003 5:44 pm

Here is the dmesg from pax killing the child processes:
<snip>
PAX: From 128.95.196.85: terminating task: /usr/sbin/nscd(nscd):23284, uid/euid: 28/28, PC: 00000000, SP: 2b275a9c
PAX: bytes at PC: <invalid address>.
PAX: From 128.95.196.85: terminating task: /usr/sbin/nscd(nscd):4404, uid/euid: 28/28, PC: 00000000, SP: 2ba76a9c
PAX: bytes at PC: <invalid address>.
PAX: From 128.95.196.85: terminating task: /usr/sbin/nscd(nscd):15650, uid/euid: 28/28, PC: 00000000, SP: 2c277a9c
PAX: bytes at PC: <invalid address>.
PAX: From 128.95.196.85: terminating task: /usr/sbin/nscd(nscd):11048, uid/euid: 28/28, PC: 00000000, SP: 2ca78a9c
PAX: bytes at PC: <invalid address>.
PAX: From 128.95.196.85: terminating task: /usr/sbin/nscd(nscd):7402, uid/euid: 28/28, PC: 00000000, SP: 2d279a9c
PAX: bytes at PC: <invalid address>.
<snip>

If I use chpax to tell it to ignore /usr/sbin/nscd, I then will get this from dmesg:
<snip>
grsec: From 128.95.196.85: signal 11 sent to (nscd:5599) UID(28) EUID(28), parent (nscd:16226) UID(28) EUID(28)
grsec: From 128.95.196.85: signal 11 sent to (nscd:16226) UID(28) EUID(28), parent (init:1) UID(0) EUID(0) by (nscd:5599) UID(28) EUID(28), parent (nscd:16226) UID(28) EUID(28)
<snip>
But this time all nscd processes will be killed including the parent.

Here is the strace -f on nscd (im just posting the 2 child processes, although there's 5 forks)
<snip>
mprotect(0x26dc4000, 4096, PROT_NONE) = 0
clone(Process 26312 attached
child_stack=0x275c4b08, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|CLONE_DETACHED, parent_tidptr=0x275c4bf8, {entry_number:0, base_addr:0x275c4bb0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}, child_tidptr=0x275c4bf8) = 26312
[pid 26312] --- SIGSTOP (Stopped (signal)) @ 0 (0) ---
[pid 26312] +++ killed by SIGKILL +++
PANIC: handle_group_exit: 26312 leader 125
--- SIGCHLD (Child exited) @ 0 (0) ---
mmap2(NULL, 8392704, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x275c5000
mprotect(0x275c5000, 4096, PROT_NONE) = 0
clone(Process 5773 attached
child_stack=0x27dc5b08, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|CLONE_DETACHED, parent_tidptr=0x27dc5bf8, {entry_number:0, base_addr:0x27dc5bb0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}, child_tidptr=0x27dc5bf8) = 5773
[pid 5773] --- SIGSTOP (Stopped (signal)) @ 0 (0) ---
[pid 5773] +++ killed by SIGKILL +++
PANIC: handle_group_exit: 5773 leader 125
--- SIGCHLD (Child exited) @ 0 (0) ---
<snip>


Walter.
aiwntrmute
 
Posts: 11
Joined: Tue Jul 22, 2003 1:36 pm

upate

Postby aiwntrmute » Wed Dec 10, 2003 6:39 pm

I think this might be relevant, the nscd has thread support, so the children are threads...

Walter.
aiwntrmute
 
Posts: 11
Joined: Tue Jul 22, 2003 1:36 pm

yet another update

Postby aiwntrmute » Wed Dec 10, 2003 6:45 pm

apparently, enterprise redhat 3.0 has a posix thread patch in its kernel. without using this patch some of their threaded programs will not work at all with vanilla kernel. (thats why i was seeing signal 11 error messages with grsecurity without pax)

whats weird is that when I have pax in grsecurity, the threaded programs are working half way (only the children are getting killed off)

Walter.
aiwntrmute
 
Posts: 11
Joined: Tue Jul 22, 2003 1:36 pm

Postby PaX Team » Thu Dec 11, 2003 4:07 am

aiwntrmute wrote:Here is the dmesg from pax killing the child processes:

PAX: From 128.95.196.85: terminating task: /usr/sbin/nscd(nscd):23284, uid/euid: 28/28, PC: 00000000, SP: 2b275a9c
PAX: bytes at PC: <invalid address>.
this looks like a NULL function pointer dereferencing problem, try to run nscd with LD_ASSUME_KERNEL=2.2.5 or something like that to use the older linuxthreads implementation.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby aiwntrmute » Thu Dec 11, 2003 2:00 pm

Your suggestion worked.
By not going with nptl version of the thread library nscd seems to have fixed itself.
I also settled on using export LD_ASSUME_KERNEL=2.4.19 which goes with the i686 version of the library.

Thank You,
Walter.
aiwntrmute
 
Posts: 11
Joined: Tue Jul 22, 2003 1:36 pm


Return to grsecurity support