grsecurity forums

by **xperience** » Thu Sep 13, 2007 7:27 am

I have problem when I enable rbac system.
After initialization via gradm -E everything works correctly, but when I try to connect to the host via ssh I server closes connection and in log I have information like:
sshd: "openpty returns device for which ttyname fails"

My system is HLFS with 2.6.19.2 kernel, sshd is compiled to use privilige separation. Grsec policy is taken from gradm with no modification.
Problem persist even when I give objects to sshd subject like
/dev rwx
/proc rwx
It doesnt happen when rbac is disabled.

Any help is welcome.
xPerience

by **xperience** » Tue Sep 18, 2007 1:02 pm

As in post above, but I tried to investigate why it doesn't work.

When sshd authorizes connection allocates pty for new session via openpty glibc call. Then tries to get path name to terminal via ttyname call. In ttyname call path name is taken via readlink function of /proc/self/fd.
But when I enable rbac in grsec, there are no fd entries for new processes in /proc/self/fd, but for processes started before rbac enabled have those links already.

My configuration:
HLFS system
glibc-2.5.1
kernel-2.6.22.6 or 2.6.19.2
openssh-4.6p1 or openssh-4.7p1

My rbac policy is:

--------------------
role admin sA
subject / rvka
/ rwcdmlxi

role default G
role_transitions admin
subject /
/ r
/opt rx
/home rwxcd
/mnt rw
/dev
/dev/grsec h
/dev/urandom r
/dev/random r
/dev/zero rw
/dev/input rw
/dev/psaux rw
/dev/null rw
/dev/tty? rw
/dev/console rw
/dev/tty rw
/dev/pts rw
/dev/ptmx rw
/dev/dsp rw
/dev/mixer rw
/dev/initctl rw
/dev/fd0 r
/dev/cdrom r
/dev/mem h
/dev/kmem h
/dev/port h
/bin rx
/sbin rx
/lib rx
/usr rx
# compilation of kernel code should be done within the admin role
/usr/src h
/etc rx
/proc rwx
/proc/kcore h
/proc/sys r
/root r
/tmp rwcd
/var rwxcd
/var/tmp rwcd
/var/log r
# hide the kernel images
/boot h
/etc/grsec h
/etc/ssh h

# if sshd needs to be restarted, it can be done through the admin role
/usr/sbin/sshd

-CAP_KILL
-CAP_SYS_TTY_CONFIG
-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_MKNOD
-CAP_SYS_ADMIN
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
-CAP_SYS_PTRACE
-CAP_NET_ADMIN
-CAP_NET_BIND_SERVICE
-CAP_NET_RAW
-CAP_SYS_CHROOT
-CAP_SYS_BOOT

# RES_AS 100M 100M

# connect 192.168.1.0/24:22 stream tcp
# bind 0.0.0.0 stream dgram tcp udp

# the d flag protects /proc fd and mem entries for sshd
# all daemons should have 'p' in their subject mode to prevent
# an attacker from killing the service (and restarting it with trojaned
# config file or taking the port it reserved to run a trojaned service)

subject /usr/sbin/sshd dpo
/ h
/bin/bash x
/dev h
/dev/log rw
/dev/random r
/dev/urandom r
/dev/null rw
/dev/ptmx rw
/dev/pts rwx
/dev/tty rw
/dev/tty? rw
/etc r
/etc/grsec h
/home
/lib rx
/root
/proc r
/proc/kcore h
/proc/sys h
/proc/self
/proc/self/fd rwx
/proc/self/fd/* rwx
/usr/lib rx
/usr/share/zoneinfo r
/var/log
/var/mail
/var/log/lastlog rw
/var/log/wtmp w
/var/run/sshd
/var/run/utmp rw

-CAP_ALL
+CAP_CHOWN
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
+CAP_SYS_RESOURCE
+CAP_SYS_TTY_CONFIG

subject /usr/X11R6/bin/XFree86
/dev/mem rw

+CAP_SYS_ADMIN
+CAP_SYS_TTY_CONFIG
+CAP_SYS_RAWIO

-PAX_SEGMEXEC
-PAX_PAGEEXEC
-PAX_MPROTECT

subject /usr/bin/ssh
/etc/ssh/ssh_config r

subject /sbin/klogd
+CAP_SYS_ADMIN

subject /sbin/syslog-ng
+CAP_SYS_ADMIN

subject /usr/sbin/fcron
/dev/log rw

subject /bin/login
/dev/log rw
/var/log/wtmp w
/var/log/faillog rwcd
/var/log/lastlog rw

subject /sbin/agetty
/var/log/wtmp w

subject /sbin/init
/var/log/wtmp w
/etc/rc.d/init.d/sysklogd x
/bin/bash x
/bin/login

subject /etc/rc.d/init.d/bin/dd
+CAP_SYS_ADMIN

subject /sbin/init:/bin/bash
+CAP_SYS_TTY_CONFIG

by **xperience** » Thu Sep 20, 2007 5:50 am

It started to work when I removed "o" option from sshd subject. But I don't know it is right or not.

by **Einon** » Thu Sep 27, 2007 4:26 am

Hi!

I run into the same problem. Here is a bit more detailed report:

Code: Select all: einon@misato:~$ ssh -vvv root@X.Y.Z.V OpenSSH_4.6p1 Debian-5, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to X.Y.Z.V [X.Y.Z.V] port 22. debug1: Connection established. [...] debug1: Authentication succeeded (publickey). debug2: fd 6 setting O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start [...] debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i0/0 o0/0 fd 4/5 cfd -1) debug3: channel 0: close_fds r 4 w 5 e 6 c -1 debug1: fd 2 clearing O_NONBLOCK Connection to X.Y.Z.V closed by remote host. Connection to X.Y.Z.V closed. debug1: Transferred: stdin 0, stdout 0, stderr 85 bytes in 0.1 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 1198.8 debug1: Exit status -1 einon@misato:~$

output of sshd on server in debug mode:

Code: Select all: server:~# /usr/sbin/sshd -D -ddd debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 652 debug2: parse_server_config: config /etc/ssh/sshd_config len 652 debug3: /etc/ssh/sshd_config:5 setting Port 22 debug3: /etc/ssh/sshd_config:9 setting Protocol 2 debug3: /etc/ssh/sshd_config:11 setting HostKey /etc/ssh/ssh_host_rsa_key debug3: /etc/ssh/sshd_config:12 setting HostKey /etc/ssh/ssh_host_dsa_key debug3: /etc/ssh/sshd_config:14 setting UsePrivilegeSeparation yes debug3: /etc/ssh/sshd_config:17 setting KeyRegenerationInterval 3600 debug3: /etc/ssh/sshd_config:18 setting ServerKeyBits 768 debug3: /etc/ssh/sshd_config:21 setting SyslogFacility AUTH debug3: /etc/ssh/sshd_config:22 setting LogLevel INFO debug3: /etc/ssh/sshd_config:25 setting LoginGraceTime 120 debug3: /etc/ssh/sshd_config:26 setting PermitRootLogin yes debug3: /etc/ssh/sshd_config:27 setting StrictModes yes debug3: /etc/ssh/sshd_config:29 setting RSAAuthentication yes debug3: /etc/ssh/sshd_config:30 setting PubkeyAuthentication yes debug3: /etc/ssh/sshd_config:34 setting IgnoreRhosts yes debug3: /etc/ssh/sshd_config:36 setting RhostsRSAAuthentication no debug3: /etc/ssh/sshd_config:38 setting HostbasedAuthentication no debug3: /etc/ssh/sshd_config:43 setting PermitEmptyPasswords no debug3: /etc/ssh/sshd_config:47 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config:50 setting PasswordAuthentication yes debug3: /etc/ssh/sshd_config:62 setting X11Forwarding no debug3: /etc/ssh/sshd_config:63 setting X11DisplayOffset 10 debug3: /etc/ssh/sshd_config:64 setting PrintMotd no debug3: /etc/ssh/sshd_config:65 setting PrintLastLog no debug3: /etc/ssh/sshd_config:66 setting TCPKeepAlive yes debug3: /etc/ssh/sshd_config:73 setting AcceptEnv LANG LC_* debug3: /etc/ssh/sshd_config:75 setting Subsystem sftp /usr/lib/openssh/sftp-server debug1: sshd version OpenSSH_4.6p1 Debian-5 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-D' debug1: rexec_argv[2]='-ddd' debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. socket: Address family not supported by protocol debug3: fd 4 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 7 config len 652 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 debug1: inetd sockets after dupping: 3, 3 Connection from V.Z.Y.X port 63714 debug1: Client protocol version 2.0; client software version OpenSSH_4.6p1 Debian-2 debug1: match: OpenSSH_4.6p1 Debian-2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.6p1 Debian-5 [...] Accepted publickey for root from V.Z.Y.X port 63714 ssh2 [...] debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. openpty returns device for which ttyname fails. debug1: do_cleanup debug1: session_pty_cleanup: session 0 release chown 0 0 failed: No such file or directory chmod 0666 failed: No such file or directory server:~#

The relevant part with strace:

Code: Select all: write(2, "debug1: Allocating pty.\r\n", 25 ) = 25 open("/dev/ptmx", O_RDWR) = 6 statfs("/dev/pts", {f_type="DEVPTS_SUPER_MAGIC", f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 ioctl(6, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(6, TIOCGPTN, [4]) = 0 stat64("/dev/pts/4", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0 statfs("/dev/pts/4", {f_type="DEVPTS_SUPER_MAGIC", f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 ioctl(6, TIOCSPTLCK, [0]) = 0 ioctl(6, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(6, TIOCGPTN, [4]) = 0 stat64("/dev/pts/4", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0 open("/dev/pts/4", O_RDWR|O_NOCTTY) = 7 ioctl(7, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 readlink("/proc/self/fd/7", 0x80073210, 4095) = -1 ENOENT (No such file or directory) write(2, "openpty returns device for which"..., 49 ) = 49 write(2, "debug1: do_cleanup\r\n", 20 ) = 20 write(2, "debug1: session_pty_cleanup: ses"..., 49 ) = 49 getuid32() = 0 chown32("", 0, 0) = -1 ENOENT (No such file or directory) write(2, "chown 0 0 failed: No such file "..., 46 ) = 46 chmod("", 0666) = -1 ENOENT (No such file or directory) write(2, "chmod 0666 failed: No such file"..., 47 ) = 47 close(0) = 0 exit_group(255) = ? Process 7334 detached

sshd acl is:

Code: Select all: subject /usr/sbin/sshd dpko { / h /bin/bash x /dev /dev/log* rw /dev/ptmx rw /dev/pts rw /dev/tty rw /dev/tty? rw /dev/null rwa /dev/urandom r /dev/random r /etc r /etc/ssh r /etc/grsec h /etc/nsswitch.conf r /etc/nss-mysql.conf r /etc/resolv.conf r /etc/hosts r /etc/host.conf r /etc/ld.so.cache r /home r /root /proc r /proc/kcore h /proc/sys h /lib rx /usr/lib rx /usr/share r /var/mail /var/run/utmp rw /var/run/sshd /var/run/sshd.pid rw /var/run/motd r /var/run/.nscd_socket rw /var/log /var/log/lastlog rwa /var/log/wtmp rwa /root/.ssh/authorized_keys r /proc/sys/kernel/version s include </etc/grsec2/local/ssh> -CAP_ALL +CAP_CHOWN +CAP_SETGID +CAP_SETUID +CAP_SYS_CHROOT +CAP_SYS_RESOURCE +CAP_SYS_TTY_CONFIG +CAP_DAC_OVERRIDE +CAP_NET_ADMIN RES_CRASH 1 10m connect 0.0.0.0:0 ip connect 0.0.0.0:22 stream dgram tcp udp connect 0.0.0.0/0:53 stream dgram ip tcp udp connect 127.0.0.1:3307 stream tcp connect 81.2.253.201:3307 stream tcp bind 0.0.0.0/0:22 stream tcp }

sshd: 4.3p2-9
libc6: 2.6.1-1+b1
kernel: 2.6.22.6
grsec+gradm: 2.1.11

removing o from subject line does not help.

There is no grsec error in the syslog. So I'm out of ideas now.
Without RBAC it works

by **xperience** » Sun Oct 07, 2007 4:01 pm

I left only p option. Works fine. But I supose there might be some security impact.

grsecurity forums

SSHD problem when rbac enabled

SSHD problem when rbac enabled

same problem, detailed report