grsecurity forums

[Vincent]

Hi,
I searched on the forum and found a very old topic about this issue, so i didn't want to reopen that.

I upgraded my kernel from 2.6.22.8 to 2.6.23.16 due to a recent exploit and now i'm having problems with grsecurity and gradm.
When I auth myself to the admin role, grsec logs the following error:

Code: Select all

grsec: From 10.1.1.12: (root:U:/sbin/gradm) denied executable mmap of /etc/ld.so.cache by /sbin/gradm[gradm:1419] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:775] uid/euid:0/0 gid/egid:0/0

This error only appears when I auth myself to the admin role, not with any other actions.

I cannot strace the error because I cannot strace when im not in de admin role.

Code: Select all

root@ssh1 ~ # readelf -l /sbin/gradm

Elf file type is EXEC (Executable file)
Entry point 0x80495a0
There are 7 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  PHDR           0x000034 0x08048034 0x08048034 0x000e0 0x000e0 R E 0x4
  INTERP         0x000114 0x08048114 0x08048114 0x00013 0x00013 R   0x1
      [Requesting program interpreter: /lib/ld-linux.so.2]
  LOAD           0x000000 0x08048000 0x08048000 0x2e0b0 0x2e0b0 R E 0x1000
  LOAD           0x02e0b0 0x080770b0 0x080770b0 0x00478 0x00820 RW  0x1000
  DYNAMIC        0x02e0c4 0x080770c4 0x080770c4 0x000c8 0x000c8 RW  0x4
  NOTE           0x000128 0x08048128 0x08048128 0x00020 0x00020 R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4

 Section to Segment mapping:
  Segment Sections...
   00
   01     .interp
   02     .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame
   03     .ctors .dtors .jcr .dynamic .got .got.plt .data .bss
   04     .dynamic
   05     .note.ABI-tag
   06


Can you help me in the right direction with this problem? Thnx.

[PaX Team]

Code: Select all

grsec: From 10.1.1.12: (root:U:/sbin/gradm) denied executable mmap of /etc/ld.so.cache by /sbin/gradm[gradm:1419] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:775] uid/euid:0/0 gid/egid:0/0

this looks like the READ_IMPLIES_EXEC behaviour that should be disabled under PaX, but not without. also, it kicks in when something doesn't have a GNU_STACK marking, check your early userland like init/bash.

[Vincent]

Thank you for your anwser.

Code: Select all

root@ssh1 ~ # readelf -l /bin/bash

Elf file type is EXEC (Executable file)
Entry point 0x805be30
There are 8 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  PHDR           0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4
  INTERP         0x000134 0x08048134 0x08048134 0x00013 0x00013 R   0x1
      [Requesting program interpreter: /lib/ld-linux.so.2]
  LOAD           0x000000 0x08048000 0x08048000 0xa0520 0xa0520 R E 0x1000
  LOAD           0x0a0520 0x080e9520 0x080e9520 0x04b44 0x09728 RW  0x1000
  DYNAMIC        0x0a0534 0x080e9534 0x080e9534 0x000d8 0x000d8 RW  0x4
  NOTE           0x000148 0x08048148 0x08048148 0x00020 0x00020 R   0x4
  GNU_EH_FRAME   0x0a0458 0x080e8458 0x080e8458 0x0002c 0x0002c R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4

 Section to Segment mapping:
  Segment Sections...
   00
   01     .interp
   02     .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
   03     .ctors .dtors .jcr .dynamic .got .got.plt .data .bss
   04     .dynamic
   05     .note.ABI-tag
   06     .eh_frame_hdr
   07


I don't know what is wrong? I didn't change my kernel/grsec/pax configuration.

I found some more logs regarding the same issue

Code: Select all

Feb 14 10:45:05 ssh1 kernel: grsec: From 10.1.1.12: (root:U:/usr/sbin/sshd) denied executable mmap of /etc/shadow by /usr/sbin/sshd[sshd:26071] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:2383] uid/euid:0/0 gid/egid:0/0

Do you know what can be done to fix this? Thnx in advance.

[PaX Team]

I don't know what is wrong? I didn't change my kernel/grsec/pax configuration.

I found some more logs regarding the same issue

Code: Select all

Feb 14 10:45:05 ssh1 kernel: grsec: From 10.1.1.12: (root:U:/usr/sbin/sshd) denied executable mmap of /etc/shadow by /usr/sbin/sshd[sshd:26071] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:2383] uid/euid:0/0 gid/egid:0/0

Do you know what can be done to fix this? Thnx in advance.

the way READ_IMPLIES_EXEC works is that once it's set in a process, all of its non-suid children (and theirs, ad infinitum) will inherit it. that's why i suggested that you verify the full execution trace starting from /sbin/init down to bash/gradm and see which executable misses the GNU_STACK header. given the above log, it's either sshd or its parent at some level. also, what part of PaX did you enable? if either of PAGEEXEC or SEGMEXEC is active on a process, READ_IMPLIES_EXEC won't be set on it. if it's not READ_IMPLIES_EXEC that does this to you then i don't know, you should strace something that fails and see what it passes to the failing mmap/mprotect call exactly.

[Vincent]

The pax part of my kernel configuration:

Code: Select all

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
# CONFIG_PAX_NOEXEC is not set

#
# Address Space Layout Randomization
#
# CONFIG_PAX_ASLR is not set

#
# Miscellaneous hardening features
#
# CONFIG_PAX_MEMORY_SANITIZE is not set


And a full strace of gradm doing its job (in admin mode alreay, otherwise I couldn't strace)

Code: Select all

root@ssh1 ~ # strace gradm -a admin
execve("/sbin/gradm", ["gradm", "-a", "admin"], [/* 20 vars */]) = 0
uname({sys="Linux", node="ssh1", ...})  = 0
brk(0)                                  = 0x80778d0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f68000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=23226, ...}) = 0
mmap2(NULL, 23226, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f62000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240O\1"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=1241392, ...}) = 0
mmap2(NULL, 1247388, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e31000
mmap2(0xb7f58000, 28672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x127) = 0xb7f58000
mmap2(0xb7f5f000, 10396, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f5f000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e30000
mprotect(0xb7f58000, 20480, PROT_READ)  = 0
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e308e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0xb7f62000, 23226)               = 0
geteuid32()                             = 0
getuid32()                              = 0
uname({sys="Linux", node="ssh1", ...})  = 0
setrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=0}) = 0
brk(0)                                  = 0x80778d0
brk(0x80988d0)                          = 0x80988d0
brk(0x8099000)                          = 0x8099000
getcwd("/root", 4095)                   = 6
mlock(0xbfe5c6e4, 256)                  = 0
ioctl(0, TIOCEXCL, 0xb7f69ab8)          = 0
open("/dev/grsec", O_WRONLY)            = 3
write(3, "4\245\345\277\21!\0\0\34\1\0\0", 12) = 1
close(3)                                = 0
mlock(0xbfe5a520, 256)                  = 0
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f67000
write(1, "Password: ", 10Password: )              = 10
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon -echo ...}) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon -echo ...}) = 0
read(0, "kaplag\n", 128)              = 9
write(1, "\n", 1
)                       = 1
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon -echo ...}) = 0
ioctl(0, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
mlock(0x80778e8, 284)                   = 0
open("/dev/grsec", O_WRONLY)            = 3
write(3, "\350x\7\10\21!\0\0\34\1\0\0", 12) = 12
close(3)                                = 0
ioctl(0, TIOCNXCL, 0xc)                 = 0
munmap(0xb7f67000, 4096)                = 0
exit_group(0)                           = ?
Process 562 detached


It is very hard to strace something that fails because, till now, only gradm and sshd children produce this error.

[PaX Team]

The pax part of my kernel configuration:

ok, based on this i'm fairly sure that it's the READ_IMPLIES_EXEC behaviour as you don't use PaX so the lack of GNU_STACK on one of your binaries would trigger it. now you have to find out which binary it is, something that is a parent of sshd. as i said, start with init then the rest it executes until it reaches sshd.

[Vincent]

Ok, thanks for your anwsers.

Isn't my PaX configuration optimal? Which configuration would you recommend?
Would changing my configuration solve this problem?

Because I must admit I didn't spent much time on configuring the PaX part of my kernel.

[PaX Team]

Isn't my PaX configuration optimal?

that's quite an understatement .

Which configuration would you recommend?

enabling these and suboptions would be a good start:

Code: Select all

# CONFIG_PAX_NOEXEC is not set
# CONFIG_PAX_ASLR is not set

Would changing my configuration solve this problem?

with SEGMEXEC/PAGEEXEC enabled yes.

Because I must admit I didn't spent much time on configuring the PaX part of my kernel.

that i can tell .