Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 183184 - net-irc/unrealircd-3.2.6-r1 does not run under grsecurity
Summary: net-irc/unrealircd-3.2.6-r1 does not run under grsecurity
Status: VERIFIED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-06-25 19:38 UTC by Jaak Ristioja
Modified: 2008-06-05 17:44 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge --info (emerge.info,2.34 KB, text/plain)
2007-07-08 17:48 UTC, Jaak Ristioja
Details
config (config,43.12 KB, text/plain)
2007-07-08 17:51 UTC, Jaak Ristioja
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jaak Ristioja 2007-06-25 19:38:45 UTC
"/etc/init.d/unrealircd start" fails and results in the following kernel messages (2.6.20-hardened-r5):

grsec: From 192.168.1.64: denied hardlink of /usr/lib/unrealircd/modules/commands.so (owned by 0.0) to tmp/625A5E94.commands.so for /usr/bin/unrealircd[unrealircd:21207] uid/euid:101/101 gid/egid:101/101, parent /sbin/runscript.sh[runscript.sh:21204] uid/euid:0/0 gid/egid:0/0
grsec: From 192.168.1.64: denied untrusted exec of /var/lib/unrealircd/625A5E94.commands.so by /usr/bin/unrealircd[unrealircd:21207] uid/euid:101/101 gid/egid:101/101, parent /sbin/runscript.sh[runscript.sh:21204] uid/euid:0/0 gid/egid:0/0

I hope this is the right place to file this bug (?). Please note me of anything i could provide to help solve this bug (in case you can/will try to solve this). Thanks.
Comment 1 Christian Heim (RETIRED) gentoo-dev 2007-07-08 17:16:53 UTC
Could you please post your emerge --info and the kernel config and reopen the bug afterwards ?
Comment 2 Jaak Ristioja 2007-07-08 17:48:34 UTC
Created attachment 124254 [details]
emerge --info
Comment 3 Jaak Ristioja 2007-07-08 17:51:01 UTC
Created attachment 124255 [details]
config

hardened-sources-2.6.20-r5 kernel configuration
Comment 4 Jaak Ristioja 2007-07-08 17:51:59 UTC
Reopening.
Comment 5 solar (RETIRED) gentoo-dev 2007-07-08 18:31:10 UTC
You have grsec linking restrictions enabled and you are trying to hardlink to 
those files as a user. This is exactly what that option prevents and is 
expected/desired. Either make it use a soft link or disable the option.

Try to disable this option in your kernel.
CONFIG_GRKERNSEC_SYSCTL_ON

- CONFIG_GRKERNSEC_SYSCTL_ON=y
+ #CONFIG_GRKERNSEC_SYSCTL_ON is not set

then use /etc/sysctl.conf to control grsec.
sysctl -a | grep grsec | less
Comment 6 Jaak Ristioja 2007-07-08 19:45:59 UTC
Browsing the unrealircd source, it appeared that unrealircd just copies the file when it fails to hard link, so that was not the problem.

However, unrealircd failed to run that copied file, because TPE (trusted path execution) was enabled and the UID it was running under was not in the group of trusted users set in the kernel config.

Anyway, thanks for your support. I am sorry for bothering you all!