chrooted ssh and grsec

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

chrooted ssh and grsec

Postby polarfox » Thu Feb 26, 2004 3:34 pm

Hello,

I tried to run chrooted SSH, but I cant connect to that ssh daemon because of this message in kern.log:

Code: Select all
Feb 26 21:14:50 alus kernel: grsec: From 192.168.1.2: denied attempt to double chroot to /chroot/ministerija/var/run/sshd by (sshd:14373) UID(0) EUID(0), parent (sshd:563) UID(0) EUID(0)


Just cant find how to fix this. Can anybody help?
Thanks
polarfox
 
Posts: 6
Joined: Sat Feb 07, 2004 10:31 am

Postby siti » Fri Feb 27, 2004 3:30 am

In the menuconfig of the kernel configuration -> GrSecurity -> Filesystem Protections -> Deny double-chroots (make sure this option is disabled).
siti
 
Posts: 18
Joined: Fri Aug 08, 2003 6:30 pm

Postby polarfox » Fri Feb 27, 2004 4:11 am

Thanks.

Maybe there is some other way to override kernel grsec settings for double chroot without recompiling kernel?
polarfox
 
Posts: 6
Joined: Sat Feb 07, 2004 10:31 am

Postby sig » Sat Feb 28, 2004 7:51 am

If you have enabled sysctl support in grsec section in kernel config, you can disable double chroot:

Code: Select all
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot


Although this doesn't work if you have enabled /proc/sys/kernel/grsecurity/grsec_lock (the value is set to 1).
sig
 
Posts: 5
Joined: Fri Mar 29, 2002 12:28 pm

Postby raphinou » Tue Mar 02, 2004 8:52 am

I think you can also disable privilege separation in the sshd config.

Raph
raphinou
 
Posts: 5
Joined: Sun Apr 06, 2003 7:26 am


Return to grsecurity support