Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 545612

Summary: www-servers/nginx: denied bad rename of /var/lib/nginx/tmp/fastcgi
Product: Gentoo Linux Reporter: cyberbat <cyberbat83>
Component: HardenedAssignee: The Gentoo Linux Hardened Team <hardened>
Status: RESOLVED NEEDINFO    
Severity: normal CC: bugs, whissi
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description cyberbat 2015-04-05 12:28:40 UTC 
Seems that after updating to sys-kernel/hardened-sources-3.18.9
I begin to receive a lot of such records in log:
 Apr  5 15:25:25 ded2 kernel: grsec: From 61.213.104.54: denied bad rename of /var/lib/nginx/tmp/fastcgi/4/37/0000000374 out of a chroot by /usr/sbin/nginx[nginx:26765] uid/euid:102/102 gid/egid:122/122, parent /usr/sbin/nginx[nginx:26764] uid/euid:0/0 gid/egid:0/0

I use www-servers/nginx-1.7.6

emerge --info
Portage 2.2.14 (python 3.3.5-final-0, hardened/linux/amd64/no-multilib, gcc-4.8.4, glibc-2.20-r2, 3.18.9-hardened x86_64)
=================================================================
System uname: Linux-3.18.9-hardened-x86_64-Intel-R-_Xeon-R-_CPU_W3565_@_3.20GHz-with-gentoo-2.2
KiB Mem:    49521836 total,  26915436 free
KiB Swap:    8589308 total,   8589308 free
Timestamp of tree: Sun, 05 Apr 2015 08:45:01 +0000
ld GNU ld (Gentoo 2.24 p1.4) 2.24
app-shells/bash:          4.2_p53
dev-lang/perl:            5.20.2
dev-lang/python:          2.7.9-r1, 3.3.5-r1, 3.4.1
dev-util/cmake:           2.8.12.2-r1
dev-util/pkgconfig:       0.28-r1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.13.11
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.69
sys-devel/automake:       1.13.4
sys-devel/binutils:       2.24-r3
sys-devel/gcc:            4.7.3-r1, 4.8.4
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.6
sys-devel/make:           4.1-r1
sys-kernel/linux-headers: 3.18 (virtual/os-headers)
sys-libs/glibc:           2.20-r2
Repositories: gentoo mylay
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=native"
DISTDIR="/var/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="ftp://gentoo.mirrors.ovh.net/gentoo-distfiles/"
LANG="ru_RU.utf8"
LDFLAGS="-Wl,--hash-style=gnu -Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j8"
PKGDIR="/var/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/portage/mylay"
SYNC="rsync://rsync1.fr.gentoo.org/gentoo-portage"
USE="acl amd64 bash-completion bzip2 caps cli cracklib crypt cxx dri gmp gnutls hardened iconv icu idn ipv6 justify mmap mmx mmxext modules mysql mysqli ncurses nls nptl openmp pam pax_kernel pcre readline session sse sse2 ssl ssse3 symlink threads tls udev unicode urandom vhosts vim-syntax xattr xml xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="ru en" NGINX_MODULES_HTTP="access auth_basic autoindex browser charset empty_gif fastcgi fancyindex geo gzip limit_req limit_conn map naxsi proxy referer rewrite split_clients spdy stub_status upload_progress userid" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python3_3" PYTHON_TARGETS="python3_3" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
USE_PYTHON="3.3"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Johan Bergström 2015-06-26 03:18:05 UTC 
Can you try pax-marking the binary and see if it persists? There seems to be a few flags that might be relevant (GRKERNSEC_CHROOT_RENAME comes to mind). Since I don't have a grsec kernel I'd appreciate if you could try a few different options and let me know what works for you.
Comment 2 cyberbat 2015-07-09 12:14:27 UTC 
(In reply to Johan Bergström from comment #1)
> Can you try pax-marking the binary and see if it persists? There seems to be
> a few flags that might be relevant (GRKERNSEC_CHROOT_RENAME comes to mind).
> Since I don't have a grsec kernel I'd appreciate if you could try a few
> different options and let me know what works for you.

It seems that I can't turn off GRKERNSEC_CHROOT_RENAME for nginx binary using paxctl.
Comment 3 cyberbat 2015-07-09 15:58:39 UTC 
Turning sysctl kernel.grsecurity.chroot_deny_bad_rename=0 fix the situation. But it will be much better if nginx don't make such "bad" things.

BTW, I've tried nginx 1.8.0 and issue still happens.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2016-07-20 00:34:08 UTC 
This is probably something we have to show upstream. Could you please re-test with recent >=www-servers/nginx-1.10.1 if nginx still triggers these warnings?