TPE and apache2 and suexec

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

TPE and apache2 and suexec

Postby charliebrown » Mon Aug 27, 2007 4:18 am

Hi all.
I am trying to use TPE with apache2 and suexec but i still not able to execute cgi script with mod_fcgid cause system see that scripts have been executed by server web user(www-data under Debian).

I did the following:

Compiling kernel 2.6.19.2 patched with grsecurity 2.1.10 with these options:

CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CUSTOM=y
# Address Space Protection
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODSTOP=y
CONFIG_GRKERNSEC_HIDESYM=y
# Role Based Access Control Options
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
# Filesystem Protections
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
# Executable Protections
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_GID=1002
# Network Protections
CONFIG_GRKERNSEC_RANDNET=y
# Sysctl support
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y

and audit support;

chowned webroot dir of user $x and enabled suexec.

Everytime i try to run a cgi script in that path system return an execution permission error cause on logs looklike that www-data run scripts and not user mapped by suexec.

This is kernel log:
Aug 27 04:04:30 localhost kernel: grsec: From x.y.z.0: denied untrusted exec of /var/www/domain.ext/var/web/www/test.pl by /usr/lib/apache2/suexec[su
exec:3358] uid/euid:1001/1001 gid/egid:1003/1003, parent /usr/sbin/apache2[apache2:3350] uid/euid:0/33 gid/egid:33/33

I create a custom group with gid 1002 and added (not as first group but with usermod -G) web users to that group.

My os is Debian etch version.

Thanks for any replies or infos about it.


Regards
charliebrown
 
Posts: 2
Joined: Mon Aug 27, 2007 3:38 am

Postby specs » Mon Aug 27, 2007 3:22 pm

I'm afraid the options works or breaks by using the exact options needed.

Try to look at the user with: "grep 1002 /etc/group"
Try to look at the dir with: "ls -la /var/www/domain.ext/var/web/www |head -2"
The result should be something like:
total 16
drwxr-xr-x 2 root root 4096 2007-03-03 14:27 .

Above being a standard "chmod 755 ." and "chmod root.root ." it should work.
Have you also looked who may write to the script-file?

I suggest the same settings for the scripts as for the directory.
specs
 
Posts: 190
Joined: Sun Mar 26, 2006 7:00 am

Postby charliebrown » Tue Aug 28, 2007 3:55 am

Hi,
before all, thanks for reply.

Then:
- user owner of that dir and scritps is in group gid 1002;
- ls report that user domain.ext and group domain.ext are the owner of DocumentRoot (/var/www/domain.ext/var/web/www) and not root;
- permissions are right;

I recompile again kernel right to re-enable tpe and changed user and group owner of main dir.

Let me understand a thing:
why should be root the owner of main dir ?And why permissions should be set to 755?
I mean if i set permissions to 755 usually everyone could execute script or read it.


Thanks and regards
charliebrown
 
Posts: 2
Joined: Mon Aug 27, 2007 3:38 am

Postby specs » Tue Aug 28, 2007 1:59 pm

The owner should be root, since that is what TPE looks for.
Thefile permissions should be write for root and read-only forthe group/user.
710 might work for you instead of 755,

From the kernelhelp:
" These users will not be able to execute any files that are not in root-owned directories writable only by root. If the sysctl option is enabled, a sysctl option with name "tpe" is created "

Since TPE is meant to prevent changing or adding scripts it would be logical to prevent writing to the files and the directories.

Please read the help available within the kernelpatch.
specs
 
Posts: 190
Joined: Sun Mar 26, 2006 7:00 am


Return to grsecurity support