Terminal being sniffed ??

Submit your RBAC policies or suggest policy improvements

Terminal being sniffed ??

Postby Naril » Sun Jan 30, 2005 6:57 am

Hi!

I have next problem. When I try to use "gradm-a admin" command I get such a grsec warning:

kernel: grsec: From 153.19.37.187: (root:U:/sbin/gradm) terminal being sniffed by IP:153.19.37.187 /usr/sbin/httpd[httpd:13371], parent /sbin/init[init:1] against /sbin/gradm[gradm:30123] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:21671] uid/euid:0/0 gid/egid:0/0.

It is strane because 153.19.37.187 is IP of my computer in my house which I use to connect to my serwer. I also have open www page which is on my server but why I can't use "gradm -a admin"? What is connection between grsec and the fact that I use www server? And what I have to change in my configuration?
Naril
 
Posts: 4
Joined: Thu Jan 27, 2005 11:13 am

Postby spender » Tue Feb 01, 2005 10:15 pm

Can you send me an lsof of the system when the problem occurs? Also send me pstree and ps aux output.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Naril » Wed Feb 02, 2005 7:42 am

Of course. I sent it with my new questons about this problem.
Naril
 
Posts: 4
Joined: Thu Jan 27, 2005 11:13 am

Postby glaeken » Sun Mar 06, 2005 12:37 pm

Mar 6 17:18:55 localhost kernel: grsec: From 10.0.0.2: (default:D:/sbin/gradm) terminal being sniffed by IP:10.0.0.2 /usr/sbin/crond[crond:29], parent /sbin/init[init:1] against /sbin/gradm[gradm:12994] uid/euid:0/0 gid/egid:0/0, parent /bin/bash_root[bash_root:20796] uid/euid:0/0 gid/egid:0/0

should I send the same info as mentioned above? :)
glaeken
 
Posts: 15
Joined: Sun Feb 20, 2005 9:53 am

Postby spender » Sun Mar 06, 2005 12:39 pm

Have you updated to 2.1.2?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby glaeken » Sun Mar 06, 2005 1:04 pm

yes I did
yesterday

ps. it seems to related to background process which has been started from the given pts

Code: Select all
[18:01:27] root@dsl:~# gradm -D
Password:
Stopping crond:                                            [  OK  ]
Starting crond:                                            [  OK  ]
[18:09:06] root@dsl:~# gradm -D
The terminal you are using is unsafe for this operation.  Use another terminal.


and one more

Code: Select all
[18:11:04] root@dsl:~# gradm -D
Password:
[18:11:06] root@dsl:~# killall crond
[18:11:09] root@dsl:~# gradm -D
Password:
[18:11:12] root@dsl:~# crond
[18:11:14] root@dsl:~# gradm -D
The terminal you are using is unsafe for this operation.  Use another terminal.
Last edited by glaeken on Sun Mar 06, 2005 1:09 pm, edited 1 time in total.
glaeken
 
Posts: 15
Joined: Sun Feb 20, 2005 9:53 am

Postby spender » Sun Mar 06, 2005 1:07 pm

Yes, which means that there's a bug in your distribution, as that process shouldn't have your terminal opened. In this case, just log into another terminal and run gradm on there.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby glaeken » Sun Mar 06, 2005 1:11 pm

should I change cron? or something deeper? libc i.e.?
glaeken
 
Posts: 15
Joined: Sun Feb 20, 2005 9:53 am

Postby spender » Sun Mar 06, 2005 5:09 pm

The problem is most likely in the startup script for cron. If you report the problem to your distribution, they will know how to fix it. Explain that the cron process has the terminal open of the user that started cron.

Out of curiosity, can you show me the output of ls -al /proc/`pidof cron`/fd

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby glaeken » Sun Mar 06, 2005 7:46 pm

Code: Select all
[00:47:35] root@dsl:~# ls -al /proc/`pidof crond`/fd
total 0
dr-x------    2 root     procgr          0 Mar  7 00:47 .
dr-xr-x---    3 root     procgr          0 Mar  6 23:09 ..
lrwx------    1 root     procgr         64 Mar  7 00:47 0 -> /dev/pts/17 (deleted)
l-wx------    1 root     procgr         64 Mar  7 00:47 1 -> pipe:[807531]
l-wx------    1 root     procgr         64 Mar  7 00:47 2 -> pipe:[807532]
lrwx------    1 root     procgr         64 Mar  7 00:47 3 -> /var/run/crond.pid
lrwx------    1 root     procgr         64 Mar  7 00:47 6 -> socket:[837725]

[00:47:36] root@dsl:~# lsof -n | grep crond
crond     13534     root  cwd    DIR        3,1      4096     677235 /var/spool
crond     13534     root  rtd    DIR        3,1      4096          2 /
crond     13534     root  txt    REG        3,1     22112     322954 /usr/sbin/crond
crond     13534     root  mem    REG        3,1    464409     482931 /lib/ld-2.2.4.so
crond     13534     root  mem    REG        3,1   5737154     482940 /lib/libc-2.2.4.so
crond     13534     root  mem    REG        3,1    256691     482965 /lib/libnss_files-2.2.4.so
crond     13534     root  mem    REG        3,1    350464     482973 /lib/libnss_nisplus-2.2.4.so
crond     13534     root  mem    REG        3,1    448441     482949 /lib/libnsl-2.2.4.so
crond     13534     root    0u   CHR     136,17                   19 /dev/pts/17 (deleted)
crond     13534     root    1w  FIFO        0,5               807531 pipe
crond     13534     root    2w  FIFO        0,5               807532 pipe
crond     13534     root    3u   REG        3,1         6     676074 /var/run/crond.pid
crond     13534     root    6u  unix 0xc712a960               837725 socket

..and yes, I know I have an old libc:P
glaeken
 
Posts: 15
Joined: Sun Feb 20, 2005 9:53 am


Return to RBAC policy development