[grsec] Problem with protected tasks

Marc Schiffbauer marc at schiffbauer.net
Wed Dec 15 08:05:52 EST 2004 

Hi all,

for my root role I want to use the "p" flag for server daemon subjects to
protect those processes.

Two questions about this:

- the 1.9.x RBAC Doc says for subject mode "p"

"p  This process is protected;  it can only be killed by processes
with the k mode, or by processes within the same subject."

How can one explain that then: sshd can not send signals to itself
anymore?

grsec: From <ip>: (root:U:/usr/sbin/sshd) Attempted send of signal 1 to protected task /usr/sbin/sshd[sshd:9823] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4758] uid/euid:0/0 gid/egid:0/0 by /usr/sbin/sshd[sshd:9823] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4758] uid/euid:0/0 gid/egid:0/0
grsec: From <ip>: (root:U:/usr/sbin/sshd) Attempted send of signal 18 to protected task /usr/sbin/sshd[sshd:9823] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4758] uid/euid:0/0 gid/egid:0/0 by /usr/sbin/sshd[sshd:9823] uid/euid:0/0 gid/egid:0/0, parent

this is the subject for sshd in role root:

subject /usr/sbin/sshd dpo {
        /
        /bin                            h
        /bin/bash
        /dev                            h
        /dev/log                        rw
        /dev/null                       rw
        /dev/ptmx                       rw
        /dev/pts                        rw
        /dev/tty                        rw
        /dev/urandom                    r
        /etc                            r
        /etc/grsec                      h
        /proc
        /proc/kcore                     h
        /proc/sys                       h
        /usr                            h
        /usr/X11R6/bin
        /usr/lib
        /usr/lib/libcrypto.so.0.9.6     rx
        /usr/lib/libz.so.1.1.4          rx
        /usr/sbin/sshd                  x
        /usr/share/zoneinfo/Europe/Berlin       r
        /var                            h
        /var/log
        /var/log/lastlog                rw
        /var/log/wtmp                   w
        /var/run
        /var/run/sshd.pid               wcd
        /var/run/utmp                   rw
        /home                           r
        /lib                            rx
        -CAP_ALL
        +CAP_CHOWN
        +CAP_DAC_OVERRIDE
        +CAP_FOWNER
        +CAP_FSETID
        +CAP_SETGID
        +CAP_SETUID
        +CAP_NET_BIND_SERVICE
        +CAP_SYS_CHROOT
        +CAP_SYS_RESOURCE
        +CAP_SYS_TTY_CONFIG
        bind 0.0.0.0/32:0 stream dgram ip tcp
        bind 0.0.0.0/32:22 stream dgram ip tcp
        bind 0.0.0.0/32:563 stream dgram ip tcp
        bind 127.0.0.1/32:6010 stream tcp
        bind 127.0.0.1/32:6011 stream tcp
        connect 0.0.0.0/0:53 dgram udp
}


* and second:
what does the following logline tell me?

grsec: From <ip>: (root:U:/usr/sbin/proftpd) Attempted send of signal 0 to protected task /usr/sbin/proftpd[proftpd:24513] uid/euid:0/104 gid/egid:65534/65534, parent /usr/sbin/inetd[inetd:12887] uid/euid:0/0 gid/egid:0/0 by /usr/sbin/proftpd[proftpd:31797] uid/euid:0/104 gid/egid:65534/65534, parent /usr/sbin/inetd[inetd:12887] uid/euid:0/0 gid/egid:0/0


Thanks for an hint.
-Marc
-- 
+-O . . . o . . . O . . . o . . . O . . .  ___  . . . O . . . o .-+
| Ein Service von Links2Linux.de:         /  o\   RPMs for SuSE   |
| --> PackMan! <-- naeheres unter        |   __|   and  others    |
| http://packman.links2linux.de/ . . . O  \__\  . . . O . . . O . |

More information about the grsecurity mailing list