Restarting services

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Restarting services

Postby Xerxes83 » Sun Jul 03, 2005 3:17 pm

Some programs need the CAP_KILL capability in order to be able to stop/restart the program (for example Apache2: '(root:U:/usr/sbin/apache2) use of CAP_KILL denied for /usr/sbin/apache2[apache2:25987] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0'). Is there any way to avoid giving a program the CAP_KILL capability and still being able to stop/restart it?
Xerxes83
 
Posts: 8
Joined: Fri Jun 17, 2005 2:03 pm

Postby spender » Fri Jul 08, 2005 5:18 pm

Were you trying to restart apache from the admin role?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Xerxes83 » Sun Jul 17, 2005 5:41 am

The problem seems to have been caused by this line:
(root:U:/usr/sbin/apache2) denied unlink of /var/run/apache2.pid by /usr/sbin/apache2[apache2:2185] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

I have no idea why I didn't notice it before...

Edit: Now I know why: "grsec: more alerts, logging disabled for 10 seconds". Before I had more Apache deamons running when I killed the process, now only two.
Xerxes83
 
Posts: 8
Joined: Fri Jun 17, 2005 2:03 pm

Postby Xerxes83 » Sat Jul 23, 2005 12:13 pm

And yet...
Jul 23 18:15:30 megumi grsec: From *.*.*.*: (root:U:/sbin/gradm) successful change to special role admin (id 10) by /sbin/gradm[gradm:10215] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:24676] uid/euid:0/0 gid/egid:0/0
Jul 23 18:16:36 megumi grsec: (root:U:/usr/lib/postfix/master) use of CAP_KILL denied for /usr/lib/postfix/master[master:25568] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Jul 23 18:16:36 megumi grsec: (root:U:/usr/lib/postfix/master) use of CAP_KILL denied for /usr/lib/postfix/master[master:25568] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Jul 23 18:16:36 megumi grsec: (root:U:/usr/lib/postfix/master) use of CAP_KILL denied for /usr/lib/postfix/master[master:25568] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0


There are no more messages... The errors are logged while restarting postfix (/etc/init.d/postfix restart).
Xerxes83
 
Posts: 8
Joined: Fri Jun 17, 2005 2:03 pm

Postby spender » Tue Aug 02, 2005 7:04 pm

Some daemons contain code to restart themselves instead of having it done within an init script that kills and re-executes the daemon. For these, all that can be done currently is disable the RBAC system while the daemons are being restarted, or give the daemons permission to restart themselves.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby bearclaw » Sat Apr 15, 2006 9:05 am

More on the weird behavior of apache2:
gradm -a admin
/etc/init.d/apache2 start
gradm -u
<apache2 running as www-data>
gradm -a admin
/etc/init.d/apache stop
grsec: From 82.228.48.220: (default:D:/) use of CAP_KILL denied for /usr/sbin/apache2[apache2:23455] uid/e
uid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
grsec: From 82.228.48.220: (default:D:/) denied unlink of /srv/http/var/run/apache2.pid by /usr/sbin/apach
e2[apache2:18072] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

which means its a reparented apache2 process running as root without the admin role which tryes to kill the running apache.

As a consequence, one has to allow root to kill apache, or to disable rbac to kill apache2 properly.
I think I'll forfeit the init.d script and use killall rather...
bearclaw
 
Posts: 7
Joined: Mon Nov 29, 2004 6:41 pm


Return to grsecurity support