Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 202616 - net-im/ejabberd installation conflicts with GSecurity Trusted Path Execution option
Summary: net-im/ejabberd installation conflicts with GSecurity Trusted Path Execution ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Net-im project
URL:
Whiteboard:
Keywords:
Depends on: 281366
Blocks:
  Show dependency tree
 
Reported: 2007-12-17 20:22 UTC by Petr Polezhaev
Modified: 2010-06-21 08:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
expected sasl.log (with fixed permissions) (sasl.log,21.00 KB, text/plain)
2007-12-17 20:25 UTC, Petr Polezhaev 		Details
error sasl.log (with wrong permissions) (sasl.log,14.15 KB, text/plain)
2007-12-17 20:30 UTC, Petr Polezhaev 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Polezhaev 2007-12-17 20:22:44 UTC 
Ejabberd fails to load library stringprep_drv,so, if TPE turned on on user jabber, because /usr/lib/erlang/ejabberd-xxx/priv/lib unessesary owned by jabber user (TPE wants all exec dir owned by root and writable only by root, otherwise exec will be rejected). The result - ejabberd crashes in 5 secs after start.

I assigned this bug as ebuild bug, because it could be fixed in ebuild by changing directory permissions.

Sorry for bad english.

Reproducible: Always

Steps to Reproduce:
1. compile hardened-sources with gsec "Security Level" set to "Hardened (Gentoo)", or just turn on trusted path execution for some group and add "jabber" to it (or turn it for everyone, but some group, as i have)
2. run ejabberd

Actual Results:  
look in /var/log/jabber/sasl.log for big great error. Just before it you may notice another, main error loading stringprep module

Expected Results:  
Just work

Portage 2.1.4_rc10 (hardened/x86/2.6, gcc-3.4.6, glibc-2.7-r1, 2.6.23-hardened-r3 i686)
=================================================================
System uname: 2.6.23-hardened-r3 i686 Intel(R) Celeron(R) CPU 2.00GHz
Timestamp of tree: Sun, 16 Dec 2007 22:16:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
app-shells/bash:     3.2_p17-r1
dev-java/java-config: 1.3.7, 2.1.3
dev-lang/python:     2.4.3-r4, 2.5.1-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/baselayout: 1.12.10-r5
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.61-r1
sys-devel/automake:  1.7.9-r1, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.23-r2
ACCEPT_KEYWORDS="x86 ~x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=i686 -O2 -pipe -fforce-addr"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=i686 -O2 -pipe -fforce-addr"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://trumpetti.atm.tut.fi/gentoo/ ftp://trumpetti.atm.tut.fi/gentoo/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://ftp.heanet.ie/pub/gentoo/ ftp://ftp.heanet.ie/pub/gentoo/ http://ftp.iij.ad.jp/pub/linux/gentoo/ ftp://ftp.iij.ad.jp/pub/linux/gentoo/ http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"
LANG="ru_RU.UTF-8"
LC_ALL=""
LINGUAS="ru"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/webapps-experimental"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="apache2 berkdb clamav cracklib crypt hardened ipv6 kerberos ldap midi mmx nls nptl nptlonly pam pic postgres readline samba sasl sse sse2 ssl tcpd unicode urandom vhosts vim-syntax x86 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="ru" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Petr Polezhaev 2007-12-17 20:25:57 UTC 
Created attachment 138771 [details]
expected sasl.log (with fixed permissions)

In addition grsec error string from 'critical' syslog:

Dec 18 00:05:41 [kernel] grsec: From 192.168.2.3: denied untrusted exec of /usr/lib/erlang/lib/ejabberd-1.1.4/priv/lib/stringprep_drv.so by /usr/lib/erlang/erts-5.5.5/bin/beam[beam:5929] uid/euid:106/106 gid/egid:1006/1006, parent /usr/bin/ejabberd[ejabberd:5927] uid/euid:106/106 gid/egid:1006/1006
Comment 2 Petr Polezhaev 2007-12-17 20:30:40 UTC 
Created attachment 138774 [details]
error sasl.log (with wrong permissions)

Sorry, i've fogoten to change directory permissions, so previous log are normal.
This is truly error log.
Comment 3 Evgeny 2008-05-25 07:52:00 UTC 
Bumping this as it still is present in all the versions. Looking at the date this bug was reported makes me wonder whether this issue is a bug or actually a feature... :)

Relevant log record:

May 25 03:27:10 main grsec: From 172.22.0.13: denied untrusted exec of /usr/lib/erlang/lib/ejabberd-2.0.1_p2/priv/lib/stringprep_drv.so by /usr/lib/erlang/erts-5.6.2/bin/beam[beam:26835] uid/euid:104/104 gid/egid:443/443, parent /sbin/runscript.sh[runscript.sh:26832] uid/euid:0/0 gid/egid:0/0

Portage 2.1.5.2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.6.1-r0, 2.6.23-hardened-r11 i686)
=================================================================
System uname: 2.6.23-hardened-r11 i686 Intel(R) Celeron(R) CPU 2.66GHz
Timestamp of tree: Sun, 25 May 2008 05:17:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p39
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.61-r1
sys-devel/automake:  1.7.9-r1, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"
DISTDIR="/mnt/linux/distfiles"
FEATURES="autoconfig ccache distlocks parallel-fetch sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
LDFLAGS=""
LINGUAS="ru"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage.overlay"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X apache2 berkdb cracklib crypt gdbm gpm hardened libg++ midi nls nptl nptlonly pam pic qt3 qt4 readline ssl tcpd threads udev unicode urandom x86 xorg zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="access auth proxy proxy-http cgi cgid dav dav_fs authz_host mime dir svn authn_file auth_basic authz_user alias" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="ru" USERLAND="GNU" VIDEO_CARDS="vesa sis dummy vga i810"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 4 Petr Polezhaev 2008-05-25 12:41:28 UTC 
Severity back to 'major', because ejabberd just won't work with this bug.
Comment 5 Caleb Tennis (RETIRED) gentoo-dev 2008-05-25 12:57:50 UTC 
What's the fix for this then?
Comment 6 Petr Polezhaev 2008-05-25 13:08:22 UTC 
This directories must be owned by root and be writable only by root: 
/usr/lib/erlang/lib/ejabberd-*/priv/lib/
/usr/lib/erlang/lib/ejabberd-*/priv/bin

Actually, all 
/usr/lib/erlang/lib/ejabberd-*/

can be owned by root, while ejabberd don't need write access on this dirs, but, maybe, erlang needs (on /usr/lib/erlang/lib/ejabberd-*/ebin/)?
Comment 7 Peter Volkov (RETIRED) gentoo-dev 2010-01-18 21:11:29 UTC 
I'm going to fix this together with version bump.
Comment 8 Petr Polezhaev 2010-01-19 11:29:09 UTC 
I'm sure now, that whole /usr/lib/erlang/lib/ directory should not contain any non-root writable files - otherwise this is bug of corresponding software. Ejabberd in current state has no such bugs.
Comment 9 Peter Volkov (RETIRED) gentoo-dev 2010-06-21 08:00:31 UTC 
Should be fixed in 2.1.4.