store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Wed Nov 26, 2014 5:51 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: grsec and gd?
Unread postPosted: Sat May 14, 2005 6:33 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2107
OK, any pointers as to what the heck I'm doing wrong?

On my test machine, I just updated the grsec kernel and php (kernel is 30.3 and php is 4.3.11.-7) on rh9

I wanted to check that gd was working -- it didn't seem to be. Then I found that the actual culprit was the grsec kernel. When I run the php file that calls gd functions, I get:

Code:
kernel: PAX: From 192.168.0.14: execution attempt in: <NULL>, 00000000-00000000 00000000
kernel: PAX: terminating task: /usr/sbin/httpd(httpd):23167, uid/euid: 48/48, PC: 00001ef1, SP: 5d54690c
kernel: PAX: bytes at PC: <invalid address>.
kernel: PAX: bytes at SP: 27e65a9a 083235c0 00002000 000002a0 27e6b44c 27d28a6e 00000000 5d5469c8 27e5d8d1 083235c0 00002000 27c419$


(other php files work fine)

Now I don't want to chpax -spmr httpd, but I tried to do it anyway, and got the kind of error message I associate with trying to use chpax when grsec isn't loaded: "Text file in use"

Then I thought "Hang on -- gradm is now installed. I wonder if that has anything to do with this?"

But "gradm -anything-except-help" gives me a "Could not open dev/gradm" error.

So, what's changed? What am I doing wrong?

Thanks,

Faris.


Top
 Profile  
 
 Post subject: OK, a few questions
Unread postPosted: Sun May 15, 2005 2:50 pm 
Do you have this device:

/dev/grsec (gradm needs that)

What version of gradm are you running?

gradm --version

And which kernel:

uname -a


Top
  
 
 Post subject:
Unread postPosted: Sun May 15, 2005 3:07 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2107
Yup - /dev/grsec exists:

Code:
crw--w--w-    1 root     root       1,  10 May 14 11:51 /dev/grsec


But, for example:

Code:
# gradm -D
Could not open /dev/grsec.
open: No such device or address



Gradm os 2.1.4:

Code:
gradm v2.1.4



Kernel is 2.4.30-3

Code:
2.4.30-3.art



These are all installed via a "yum update" along with php 4.3.11-7.

Faris.

p.s. this is all under RedHat 9 under vmware5.


Top
 Profile  
 
 Post subject: OK, theres a bug in that version
Unread postPosted: Sun May 15, 2005 3:29 pm 
OK, theres a bug in that version. We'll put out an update shortly. The minor number is wrong on the /dev/grsec device in that version, which is why gradm thinks it doesn't exist.

Regardless, this isn't whats causing the httpd PAX log entires. None of the RBAC rules are loaded unless you enable them, so its not gradm thats causing the problem. Its in one of the libraries, we're tracking it down now to see if a simple chpax will solve the problem.

Try this in the short term, try chpax -emrpsx on your libgd libraries.


Top
  
 
 Post subject: OK, try this to fix gradm
Unread postPosted: Sun May 15, 2005 3:38 pm 
rm /dev/grsec
mknod -m 0622 /dev/grsec c 1 12

That should fix the minor number and allow you to run gradm. To see if its working, try this:

gradm -S

Also, if you have never set a password gradm, you will need to run this:

gradm -P


Top
  
 
 Post subject:
Unread postPosted: Sun May 15, 2005 4:30 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2107
Thanks Mike. I'll give it a go.

But what exactly am I doing here? (changing the minor number, obviously, but what it that/what is this about?)

Quote:
rm /dev/grsec
mknod -m 0622 /dev/grsec c 1 12

That should fix the minor number and allow you to run gradm.


Faris.


Top
 Profile  
 
 Post subject: minor number
Unread postPosted: Sun May 15, 2005 4:41 pm 
Thats a special device (/dev/grsec) and for gradm to work, the device has to be configured correctly. gradm uses that device to communicate with the kernel (to change the ACLs, read the status, etc.)


Top
  
 
 Post subject:
Unread postPosted: Sun May 15, 2005 4:46 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2107
Hmm. Errm.....

gradm -S doesn't give an error. Just nothing.

I did a gradm -P and set a password.

Then I did a gradm -a admin then entered the above password and got the following:

"You are using incompatible versions of gradm and grsecurity.
Please update both versions to the ones available on the website.
Make sure your gradm has been compiled for the kernel you are currently running."


chpax -e(etc) on
/usr/lib/libgd.so.1
/usr/lib/libgd.so.1.8
/usr/lib/libgd.so.1.8.4

Didn't help. I still get the PAX error. But I didn't get the "text file in use" error, so at least we have got over that hurdle :-)

Did I do this on the right files?

Faris.


Top
 Profile  
 
 Post subject: php
Unread postPosted: Sun May 15, 2005 5:17 pm 
Also, forgot to ask, which version of php is installed on your system?


Top
  
 
 Post subject:
Unread postPosted: Mon Jun 27, 2005 9:02 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2107
Sorry mike. I didn't see your reply until now.

Everything seems to work fine with the latest everything installed.

Faris.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Yahoo [Bot] and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group