Summary: | net-im/ejabberd installation conflicts with GSecurity Trusted Path Execution option | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Petr Polezhaev <NightNord> |
Component: | New packages | Assignee: | Gentoo Net-im project <net-im> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | dschridde+gentoobugs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 281366 | ||
Bug Blocks: | |||
Attachments: |
expected sasl.log (with fixed permissions)
error sasl.log (with wrong permissions) |
Description
Petr Polezhaev
2007-12-17 20:22:44 UTC
Created attachment 138771 [details]
expected sasl.log (with fixed permissions)
In addition grsec error string from 'critical' syslog:
Dec 18 00:05:41 [kernel] grsec: From 192.168.2.3: denied untrusted exec of /usr/lib/erlang/lib/ejabberd-1.1.4/priv/lib/stringprep_drv.so by /usr/lib/erlang/erts-5.5.5/bin/beam[beam:5929] uid/euid:106/106 gid/egid:1006/1006, parent /usr/bin/ejabberd[ejabberd:5927] uid/euid:106/106 gid/egid:1006/1006
Created attachment 138774 [details]
error sasl.log (with wrong permissions)
Sorry, i've fogoten to change directory permissions, so previous log are normal.
This is truly error log.
Bumping this as it still is present in all the versions. Looking at the date this bug was reported makes me wonder whether this issue is a bug or actually a feature... :) Relevant log record: May 25 03:27:10 main grsec: From 172.22.0.13: denied untrusted exec of /usr/lib/erlang/lib/ejabberd-2.0.1_p2/priv/lib/stringprep_drv.so by /usr/lib/erlang/erts-5.6.2/bin/beam[beam:26835] uid/euid:104/104 gid/egid:443/443, parent /sbin/runscript.sh[runscript.sh:26832] uid/euid:0/0 gid/egid:0/0 Portage 2.1.5.2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.6.1-r0, 2.6.23-hardened-r11 i686) ================================================================= System uname: 2.6.23-hardened-r11 i686 Intel(R) Celeron(R) CPU 2.66GHz Timestamp of tree: Sun, 25 May 2008 05:17:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p39 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.4.4-r9 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.61-r1 sys-devel/automake: 1.7.9-r1, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer" DISTDIR="/mnt/linux/distfiles" FEATURES="autoconfig ccache distlocks parallel-fetch sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" LDFLAGS="" LINGUAS="ru" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage.overlay" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X apache2 berkdb cracklib crypt gdbm gpm hardened libg++ midi nls nptl nptlonly pam pic qt3 qt4 readline ssl tcpd threads udev unicode urandom x86 xorg zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="access auth proxy proxy-http cgi cgid dav dav_fs authz_host mime dir svn authn_file auth_basic authz_user alias" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="ru" USERLAND="GNU" VIDEO_CARDS="vesa sis dummy vga i810" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS Severity back to 'major', because ejabberd just won't work with this bug. What's the fix for this then? This directories must be owned by root and be writable only by root: /usr/lib/erlang/lib/ejabberd-*/priv/lib/ /usr/lib/erlang/lib/ejabberd-*/priv/bin Actually, all /usr/lib/erlang/lib/ejabberd-*/ can be owned by root, while ejabberd don't need write access on this dirs, but, maybe, erlang needs (on /usr/lib/erlang/lib/ejabberd-*/ebin/)? I'm going to fix this together with version bump. I'm sure now, that whole /usr/lib/erlang/lib/ directory should not contain any non-root writable files - otherwise this is bug of corresponding software. Ejabberd in current state has no such bugs. Should be fixed in 2.1.4. |