grsecurity forums

[aiwntrmute]

We are using Redhat Enterprise Linux 3.0. I just installed a vanilla kernel with grsec.
Kernel = 2.4.23, Grsec = 1.9.13
I've compiled grsecurity with medium security. For some reason nscd is kept being killed by grsecurity. This has never happened with previous redhat versions, redhat 7,8,9.

Here is the last few lines of strace output of nscd:
<snip>
open("/var/run/nscd.pid", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=6, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4666f000
read(3, "16187\n", 4096) = 6
close(3) = 0
munmap(0x4666f000, 4096) = 0
kill(16187, SIG_0) = -1 ESRCH (No such process)
time(NULL) = 1071077187
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x467d50c8) = 21412
exit_group(0) = ?
<snip>

If anyone has suggestions in regards of fixing this or if there's a way to tell grsecurity to ignore monitoring specific programs like nscd.

Thank You,
Walter.

[aiwntrmute]

I went ahead and installed grsecurity kernel with "high" security which includes pax.
Now when nscd starts up, only the child processes get killed while the parent stays running.
So in a way it kinda works now, except there's only one nscd process now.

Walter.

[PaX Team]

I went ahead and installed grsecurity kernel with "high" security which includes pax.
Now when nscd starts up, only the child processes get killed while the parent stays running.
So in a way it kinda works now, except there's only one nscd process now.

can you post any relevant syslogs please (both from PaX and grsec)? the strace in your first message doesn't really point to any error, at least the main thread didn't get killed (which would be interesting given that the non-executable page stuff is not enabled at the middle level).

[aiwntrmute]

Here is the dmesg from pax killing the child processes:
<snip>
PAX: From 128.95.196.85: terminating task: /usr/sbin/nscd(nscd):23284, uid/euid: 28/28, PC: 00000000, SP: 2b275a9c
PAX: bytes at PC: <invalid address>.
PAX: From 128.95.196.85: terminating task: /usr/sbin/nscd(nscd):4404, uid/euid: 28/28, PC: 00000000, SP: 2ba76a9c
PAX: bytes at PC: <invalid address>.
PAX: From 128.95.196.85: terminating task: /usr/sbin/nscd(nscd):15650, uid/euid: 28/28, PC: 00000000, SP: 2c277a9c
PAX: bytes at PC: <invalid address>.
PAX: From 128.95.196.85: terminating task: /usr/sbin/nscd(nscd):11048, uid/euid: 28/28, PC: 00000000, SP: 2ca78a9c
PAX: bytes at PC: <invalid address>.
PAX: From 128.95.196.85: terminating task: /usr/sbin/nscd(nscd):7402, uid/euid: 28/28, PC: 00000000, SP: 2d279a9c
PAX: bytes at PC: <invalid address>.
<snip>

If I use chpax to tell it to ignore /usr/sbin/nscd, I then will get this from dmesg:
<snip>
grsec: From 128.95.196.85: signal 11 sent to (nscd:5599) UID(28) EUID(28), parent (nscd:16226) UID(28) EUID(28)
grsec: From 128.95.196.85: signal 11 sent to (nscd:16226) UID(28) EUID(28), parent (init:1) UID(0) EUID(0) by (nscd:5599) UID(28) EUID(28), parent (nscd:16226) UID(28) EUID(28)
<snip>
But this time all nscd processes will be killed including the parent.

Here is the strace -f on nscd (im just posting the 2 child processes, although there's 5 forks)
<snip>
mprotect(0x26dc4000, 4096, PROT_NONE) = 0
clone(Process 26312 attached
child_stack=0x275c4b08, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|CLONE_DETACHED, parent_tidptr=0x275c4bf8, {entry_number:0, base_addr:0x275c4bb0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}, child_tidptr=0x275c4bf8) = 26312
[pid 26312] --- SIGSTOP (Stopped (signal)) @ 0 (0) ---
[pid 26312] +++ killed by SIGKILL +++
PANIC: handle_group_exit: 26312 leader 125
--- SIGCHLD (Child exited) @ 0 (0) ---
mmap2(NULL, 8392704, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x275c5000
mprotect(0x275c5000, 4096, PROT_NONE) = 0
clone(Process 5773 attached
child_stack=0x27dc5b08, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|CLONE_DETACHED, parent_tidptr=0x27dc5bf8, {entry_number:0, base_addr:0x27dc5bb0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}, child_tidptr=0x27dc5bf8) = 5773
[pid 5773] --- SIGSTOP (Stopped (signal)) @ 0 (0) ---
[pid 5773] +++ killed by SIGKILL +++
PANIC: handle_group_exit: 5773 leader 125
--- SIGCHLD (Child exited) @ 0 (0) ---
<snip>


Walter.

[aiwntrmute]

I think this might be relevant, the nscd has thread support, so the children are threads...

Walter.

[aiwntrmute]

apparently, enterprise redhat 3.0 has a posix thread patch in its kernel. without using this patch some of their threaded programs will not work at all with vanilla kernel. (thats why i was seeing signal 11 error messages with grsecurity without pax)

whats weird is that when I have pax in grsecurity, the threaded programs are working half way (only the children are getting killed off)

Walter.

[PaX Team]

Here is the dmesg from pax killing the child processes:

PAX: From 128.95.196.85: terminating task: /usr/sbin/nscd(nscd):23284, uid/euid: 28/28, PC: 00000000, SP: 2b275a9c
PAX: bytes at PC: <invalid address>.

this looks like a NULL function pointer dereferencing problem, try to run nscd with LD_ASSUME_KERNEL=2.2.5 or something like that to use the older linuxthreads implementation.

[aiwntrmute]

Your suggestion worked.
By not going with nptl version of the thread library nscd seems to have fixed itself.
I also settled on using export LD_ASSUME_KERNEL=2.4.19 which goes with the i686 version of the library.

Thank You,
Walter.