grsecurity forums

by **saturne** » Mon Sep 30, 2002 10:33 am

HI

when I launches gradm (gradm - E), users who are chroot (/home/user/./) cannot connect in ssh. I have an error "- bash: error while loading shared libraries: libncurses.so.5: failed to map segment from shared object: Permission denied "

as I donâ€™t arrive, I made in the file acl a very "open" configuration :

#sample default process acl for grsecurity

/ {
/ r
/opt rx
/home rwx
/mnt rw
/dev rw
/dev/mem h
/dev/kmem h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/proc rwx
/proc/sys r
/root r
/tmp rw
/var rwx
/var/tmp rw
/var/log ra
/boot r
/etc/grsec h

-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_MKNOD
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
}

/bin/login {
/ rwo
/etc rwo
/bin rwo
/var rwo
/proc rwo

}

/usr/local/sbin/sshd {
/ row
/etc ro
/var rwo
}

/bin/su {
/ ro
/etc ro
}

/bin/bash {
/ row
/proc rwo
}

This is just for see :wink:

So, for users libraries, Iâ€™ll try cp â€“Rl (hard link)

, and cp â€“R (real files) :-?

â€¦.. just for seeâ€¦

When I kill gradm (gradm â€“D) Iâ€™ve no problem. So my configuration about chroot, openssh is ok.

Iâ€™ll try â€œlow levelâ€ in kernel option, but itâ€™s the same. I think, the problem comes acl file, but even with all the examples which I could find on the forum or the mailing-list, I donâ€™t seeâ€¦.. why "failed to map segment from shared object.." ?

by **spender** » Mon Sep 30, 2002 3:08 pm

check your logs. If grsecurity caused it, there would be some message as to why.

-Brad

by **saturne** » Mon Sep 30, 2002 4:08 pm

ok, i see them:

-In kern.log:

Sep 30 23:50:53 venus kernel: grsec: Loaded grsecurity 1.9.7
Sep 30 23:50:57 venus kernel: grsec: chdir("/") by (sshd:17415) UID(6002) EUID(6002), parent (sshd:18758) UID(6002) EUID(6002)
Sep 30 23:50:57 venus kernel: grsec: exec of /bin/bash within chroot jail [03:06:31793] by process (sshd:17415) UID(6002) EUID(6002), parent (sshd:18758) UID(6002) EUID(6002)
Sep 30 23:50:57 venus kernel: grsec: attempt to load writable library [03:06:129574] by (bash:17415) UID(6002) EUID(6002), parent (sshd:18758) UID(6002) EUID(6002)
Sep 30 23:51:01 venus kernel: grsec: shutdown auth success for (gradm:21407) UID(0) EUID(0), parent (bash:3823) UID(0) EUID(0)

-In messages:

Sep 30 23:50:57 venus kernel: grsec: chdir("/") by (sshd:17415) UID(6002) EUID(6002), parent (sshd:18758) UID(6002) EUID(6002)
Sep 30 23:50:57 venus kernel: grsec: exec of /bin/bash within chroot jail [03:06:31793] by process (sshd:17415) UID(6002) EUID(6002), parent (sshd:18758) UID(6002) EUID(6002)

In kernel, at this time, option "enforce chdir" is disabled

in this logs, he said "attempt to load writable library ", but the file acl is good no?

by **saturne** » Mon Sep 30, 2002 9:29 pm

i'll patch openssh for chroot (when there is /./ in passwd, user is in chroot cage). I think with acl, secure is the best, so is that necessary using the chroot'openssh, or only acl? I think it's another security