Cannot access http or ftp servers with grsec.

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Cannot access http or ftp servers with grsec.

Postby gianspi » Sat Nov 05, 2005 2:19 am

Hello.

I was following the quick start guide and after the "/sbin/reboot" step I now cannot access http or ftp servers with links or ncftp (ssh works). My request is sent out with http but nothing comes back. I set my firewall to an open policy but no luck there. Does any grsec or PaX options prevent this?

Here is my kernel config.

Code: Select all
#
# Grsecurity
#
CONFIG_GRKERNSEC=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_SHA256=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# PaX Control
#
# CONFIG_GRKERNSEC_PAX_SOFTMODE is not set
# CONFIG_GRKERNSEC_PAX_EI_PAX is not set
CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS=y
# CONFIG_GRKERNSEC_PAX_NO_ACL_FLAGS is not set
CONFIG_GRKERNSEC_PAX_HAVE_ACL_FLAGS=y
# CONFIG_GRKERNSEC_PAX_HOOK_ACL_FLAGS is not set

#
# Address Space Protection
#
CONFIG_GRKERNSEC_PAX_NOEXEC=y
# CONFIG_GRKERNSEC_PAX_SEGMEXEC is not set
CONFIG_GRKERNSEC_PAX_MPROTECT=y
# CONFIG_GRKERNSEC_PAX_NOELFRELOCS is not set
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_RTC=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y

#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=2
CONFIG_GRKERNSEC_ACL_TIMEOUT=600

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set
#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDSRC=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
# CONFIG_GRKERNSEC_SYSCTL is not set

#
# Logging options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4



Thanks for any help. I am using kernel 2.4.31 with grsecurity-2.1.7-2.4.31-200510291217.patch on Slackware v10.2

Thank you!
Gian G. Spicuzza
gianspi
 
Posts: 6
Joined: Sat Nov 05, 2005 2:13 am

Re: Cannot access http or ftp servers with grsec.

Postby PaX Team » Sat Nov 05, 2005 6:57 am

gianspi wrote:I was following the quick start guide and after the "/sbin/reboot" step I now cannot access http or ftp servers with links or ncftp (ssh works). My request is sent out with http but nothing comes back.
an strace output might help...
I set my firewall to an open policy but no luck there. Does any grsec or PaX options prevent this?
Code: Select all
#
# CONFIG_GRKERNSEC_PAX_EI_PAX is not set
CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS=y
does Slackware support the PT_PAX_FLAGS marking (just wondering)?
Code: Select all
CONFIG_GRKERNSEC_PAX_NOEXEC=y
# CONFIG_GRKERNSEC_PAX_SEGMEXEC is not set
CONFIG_GRKERNSEC_PAX_MPROTECT=y
uhm, how did you manage to enable MPROTECT without either of SEGMEXEC/PAGEEXEC? the PaX config dependencies should not allow that.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby gianspi » Sat Nov 05, 2005 11:20 am

Hi PaX,

thanks for the reply.

I Found this newspost on "http://www.cerebrallab.com/projects/netsecurity/index.php"

Code: Select all
Patched Slackware 10.1 packages for PT_PAX_FLAGS support 
Posted By Neural on Wed Apr 27 2005 - 01:55:22 AM 
I went through the process of patching binutils and glibc to support the no exec stack that pax requires. For binutils I used the patch found on the pax site at http://pax.grsecurity.net/ and for glibc I used the patch employed by gentoo. I repackaged them and put them up in my file area for those who might want to use them if they use the grsecurity 2.1.5 patch with Slackware 10.1

I also included a rebuilt ncurses package. All I did to that package was rebuild it using the source build script after I installed the patched glibc and binutils so that it would compile without the executable stack.


So if this is true, I assume PT_PAX_FLAGS is not supported by default in the slackware enviroment.

I read through the help doc on all of the GrSec/PaX options and configured my kernel accordingly. I don't know how I missed a dependancy.

Should I disable PT_PAX_FLAGS and clear up that dependancy?

PS- I will post an strace when I return home later today.

Thank you!!

Gian
gianspi
 
Posts: 6
Joined: Sat Nov 05, 2005 2:13 am

Postby PaX Team » Sat Nov 05, 2005 9:50 pm

gianspi wrote:So if this is true, I assume PT_PAX_FLAGS is not supported by default in the slackware enviroment.
compile something then check readelf -l, if it doesn't say PAX_FLAGS, then the PaX program header is not present, you must use chpax and the old marking scheme.
Should I disable PT_PAX_FLAGS and clear up that dependancy?
well, it should not affect this problem, but if you actually want to use PaX you must use a marking scheme that is supported by your userland, else nothing will be protected (although considering that you disabled non-exec pages, you might as well not care ;P).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support