grsecurity forums

[mimosinnet]

I have just started with grsecurity and I must say I am very impressed with it. I have had an issue with grsecurity and unrealircd. This is the type of message I was getting:

Dec 5 20:22:32 generatech kernel: grsec: From X.X.X.X: denied hardlink of /usr/lib64/unrealircd/modules/cloak.so (owned by 0.0) to tmp/BFC4D0B6.cloak.so for /usr/bin/unrealircd[unrealircd:5432] uid/euid:102/102 gid/egid:1005/1005, parent /sbin/rc[start-stop-daem:5431] uid/euid:0/0 gid/egid:0/0

The solution, following the gentoo bug [1], has been to include unrealircd in the "trusted" TPE group. My kernel options:
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_INVERT=y
CONFIG_GRKERNSEC_TPE_GID=10

Nevertheless, there is the security concern of adding a daemon user into the TPE trusted group, and the suggested patch has not been taken by the unrealircd team [2]. Being a newbie, I am not aware of the security hole implied in having the unrealircd in the TPE trusted group, but I imagine it can be partially dealt with the RBAC system (this is my next task).

Cheers!

[1] http://bugs.gentoo.org/show_bug.cgi?id=223835
[2] http://bugs.unrealircd.org/view.php?id=3705

[spender]

That hardlink denial is from the linking restrictions, not TPE. Though the denied permission to mmap the .so in /tmp would be from TPE.

-Brad

[spender]

Was there no message about a "denied trusted exec"?

-Brad

[mimosinnet]

[quote="spender"]Was there no message about a "denied trusted exec"?[/quote]+

Yes, you are right! This is a detailed account of the events:

# cat /etc/group | grep unrealircd
wheel::10:root,mimosinnet,quiron,marc,apache,unrealircd
unrealircd:x:1005:

# /etc/init.d/unrealircd start
* Starting unrealircd... [ ok ]

/var/log/grsec.log
Dec 6 00:24:20 generatech kernel: grsec: From xxx.xxx.132.210: denied hardlink of /usr/lib64/unrealircd/modules/commands.so (owned by 0.0) to tmp/8AC2A1C1.commands.so for /usr/bin/unrealircd[unrealircd:6804] uid/euid:102/102 gid/egid:1005/1005, parent /sbin/rc[start-stop-daem:6803] uid/euid:0/0 gid/egid:0/0
Dec 6 00:24:20 generatech kernel: grsec: From xxx.xxx.132.210: denied hardlink of /usr/lib64/unrealircd/modules/cloak.so (owned by 0.0) to tmp/6FB671F2.cloak.so for /usr/bin/unrealircd[unrealircd:6804] uid/euid:102/102 gid/egid:1005/1005, parent /sbin/rc[start-stop-daem:6803] uid/euid:0/0 gid/egid:0/0


# usermod -G unrealircd unrealircd
# cat /etc/group | grep unrealircd
unrealircd:x:1005:unrealircd

# /etc/init.d/unrealircd start
* Starting unrealircd... [ !! ]

/var/log/grsec.log
Dec 6 00:27:57 generatech kernel: grsec: From xxx.xxx.132.210: denied hardlink of /usr/lib64/unrealircd/modules/commands.so (owned by 0.0) to tmp/EC049177.commands.so for /usr/bin/unrealircd[unrealircd:6844] uid/euid:102/102 gid/egid:1005/1005, parent /sbin/rc[start-stop-daem:6843] uid/euid:0/0 gid/egid:0/0
Dec 6 00:27:57 generatech kernel: grsec: From xxx.xxx.132.210: denied untrusted exec of /var/lib/unrealircd/EC049177.commands.so by /usr/bin/unrealircd[unrealircd:6844] uid/euid:102/102 gid/egid:1005/1005, parent /sbin/rc[start-stop-daem:6843] uid/euid:0/0 gid/egid:0/0

Therefore, I have to disable CONFIG_GRKERNSEC_LINK and add unrealircd to the GID for trusted users in order to run unrealircd.

Thanks for the hint!