denied load of writable library

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

denied load of writable library

Postby Cyrus » Tue Apr 13, 2004 6:42 pm

Hi

Any ideas where why one eggdrop doesnt work? The very same machine is running few eggdrops and this is only one which creates errors:

Apr 14 01:20:44 foo kernel: grsec: From 1.2.3.4: denied load of writable library /home/user/eggdrop/modules-1.6.15/dns.so by (eggdrop:5482) UID(4001) EUID(4001), parent (bash:12665) UID(4001) EUID(4001)
Apr 14 01:20:44 foo kernel: grsec: From 1.2.3.4: denied load of writable library /home/user/eggdrop/modules-1.6.15/channels.so by (eggdrop:5482) UID(4001) EUID(4001), parent (bash:12665) UID(4001) EUID(4001)

All eggdrops are running with different UID/GID.

TIA
Cyrus
 
Posts: 7
Joined: Mon Mar 17, 2003 3:31 pm

Postby torne » Wed Apr 14, 2004 1:05 am

The eggdrop's modules (the .so files) are libraries containing executable code. grsec won't let you load executable code that's writable by people other than the owner, because that's gratuitously insecure (someone else writes over library with malicious code, bot crashes later for some reason, loads up malicious library, deletes files/gives shell as that UID/etc). Change the permissions on the .so files.
torne
 
Posts: 54
Joined: Mon Aug 12, 2002 12:52 pm

Postby Cyrus » Wed Apr 14, 2004 1:15 am

Files are owned by the user and exact rights are:

-rwxr-xr-x 1 user users 12508 Apr 14 01:38 /home/m1x/eggdrop/modules-1.6.15/dns.so

-rwxr-xr-x 1 user users 113404 Apr 14 01:38 /home/m1x/eggdrop/modules/channels.so

Just wonderin why this user cant execute eggdrop and all the others can. Same rights etc.
Cyrus
 
Posts: 7
Joined: Mon Mar 17, 2003 3:31 pm

Postby PaX Team » Wed Apr 14, 2004 5:16 am

Cyrus wrote:Files are owned by the user and exact rights are:

-rwxr-xr-x 1 user users 12508 Apr 14 01:38 /home/m1x/eggdrop/modules-1.6.15/dns.so

-rwxr-xr-x 1 user users 113404 Apr 14 01:38 /home/m1x/eggdrop/modules/channels.so

Just wonderin why this user cant execute eggdrop and all the others can. Same rights etc.
the access rights that matter for this check are those granted by ACLs not the file system, so check those.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby Cyrus » Wed Apr 14, 2004 5:30 am

ACLs are like this:
Code: Select all
/ {
   ...
   /home rwx
   ...
}

and nothing more, no special ACLs for different users, they all got the same.
Cyrus
 
Posts: 7
Joined: Mon Mar 17, 2003 3:31 pm

Postby letrout » Wed Apr 14, 2004 12:11 pm

Maybe you need a
Code: Select all
/home/*/eggdrop/modules-1.6.15 rx

rule?

I like this feature of grsec by the way. Helped me tighten up some sloppiness on my system.
letrout
 
Posts: 14
Joined: Thu Feb 19, 2004 3:48 pm

Postby Cyrus » Wed Apr 14, 2004 12:13 pm

Maybe, maybe not.
Few points:
1) why it works on other users?
2) users cant delete the directory after that.
Cyrus
 
Posts: 7
Joined: Mon Mar 17, 2003 3:31 pm

Postby letrout » Wed Apr 14, 2004 12:50 pm

1) Don't know, need someone smarter than me for that one

2) Maybe try
Code: Select all
/home/*/eggdrop/modules-1.6.15/*.so rx

Users still couldn't delete the .so files or the directory though, so maybe no love there.

There's also
3) I should stop making suggestions, because I don't even know what eggdrop is/does and I only barely understand little bits of grsecurity.

Your unlucky day I guess, I just happened to pass by the boards today checking for 2.4.26 patches and decided to make a couple posts. In all honesty you should probably just ignore me and wait for someone else.
letrout
 
Posts: 14
Joined: Thu Feb 19, 2004 3:48 pm


Return to grsecurity support