[grsec] weird behavior: grsec and MailScanner

Dmitry Golubev dmitry at mikrotik.com
Thu Nov 4 06:08:50 EST 2004 

Hello,

I am a little bit confused. I have 2.6.26 with grsec 2.0 (yeah, pre-last versions :). 
I have enabled "Protect outside processes", and everything seemed correct until I
discovered a strange thing that is only applies to MailScanner processes - they are
shown regardless of whether I am in the chroot they are created or outside, or in
an another chroot.

I have started Mailscanner, exim and syslogd in /beta/mail chroot. This is a part
of "ps -axuf" outside chroots (this one is correct):

...
root     23052  0.0  0.0  1544  600 ?        Ss   Nov02   1:57 /sbin/syslogd
Debian-  27929  0.0  0.1 19812 1808 ?        SNs  Nov02   0:00 /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  22431  0.4  4.0 101028 41864 ?      SN   09:32   0:51  \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  14652  0.0  0.0     0    0 ?        ZN   12:32   0:00  |   \_ [MailScanner] <defunct>
Debian-  14817  0.4  4.2 101288 43584 ?      SN   09:33   0:52  \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-   8520  0.6  0.0     0    0 ?        ZN   12:35   0:00  |   \_ [MailScanner] <defunct>
Debian-  21526  0.4  3.0 101240 31792 ?      SN   09:34   0:49  \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  27477  0.7  0.0     0    0 ?        ZN   12:35   0:00  |   \_ [MailScanner] <defunct>
Debian-   7329  0.4  3.2 101084 33812 ?      SN   09:34   0:52  \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  13426  0.6  0.0     0    0 ?        ZN   12:35   0:00  |   \_ [MailScanner] <defunct>
Debian-  28015  0.0  6.7 101100 69428 ?      SN   12:36   0:00  |   \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  12242  0.4  4.3 101516 44872 ?      SN   09:37   0:50  \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  26495  0.3  0.0     0    0 ?        ZN   12:35   0:00  |   \_ [MailScanner] <defunct>
Debian-  11153  0.4  3.4 101060 35444 ?      SN   09:38   0:45  \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  21361  0.4  3.5 101292 36220 ?      SN   09:40   0:47  \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  23949  0.6  0.0     0    0 ?        ZN   12:35   0:00  |   \_ [MailScanner] <defunct>
Debian-  19138  0.5  3.3 101004 34356 ?      SN   09:42   0:52  \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  14307  1.3  0.0     0    0 ?        ZN   12:35   0:00      \_ [MailScanner] <defunct>
Debian-  21479  0.0  0.1  4208 1340 ?        Ss   Nov02   0:13 /usr/sbin/exim4 -bd -q30m
Debian-  15663  0.0  0.1  4220 1588 ?        S    12:35   0:00  \_ /usr/sbin/exim4 -bd -q30m
Debian-  22051  0.0  0.1  4216 1392 ?        S    12:35   0:00  \_ /usr/sbin/exim4 -bd -q30m
Debian-   1411  0.0  0.1  4216 1472 ?        S    12:36   0:00  \_ /usr/sbin/exim4 -bd -q30m
Debian-  21577  0.0  0.1  4216 1392 ?        S    12:36   0:00  \_ /usr/sbin/exim4 -bd -q30m
root     17101  0.0  0.1  4208 1716 ?        SN   12:35   0:00 /usr/sbin/exim4 -DOUTGOING -Mc 1CPexF-0003ZL-0t
Debian-   8590  0.0  0.1  4212 1772 ?        SN   12:35   0:00  \_ /usr/sbin/exim4 -DOUTGOING -Mc 1CPexF-0003ZL-0t
mailgw:/usr/src/patches# 

Now, this is how /beta/mail is shown (again, correct)

mailgw:/usr/src/patches# chroot /beta/mail/
mailgw:/# ps axuf
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root      3419  0.0  0.1  2580 1428 ?        S    13:00   0:00 /bin/bash -i
root     12851  0.0  0.0  2480  816 ?        R+   13:00   0:00  \_ ps axuf
Debian-  21479  0.0  0.1  4208 1340 ?        Ss   Nov02   0:13 /usr/sbin/exim4 -bd -q30m
Debian-  23400  0.0  0.1  4216 1472 ?        S    12:58   0:00  \_ /usr/sbin/exim4 -bd -q30m
Debian-    204  0.0  0.1  4220 1552 ?        S    13:00   0:00  \_ /usr/sbin/exim4 -bd -q30m
Debian-  29952  0.0  0.1  4216 1392 ?        S    13:00   0:00  \_ /usr/sbin/exim4 -bd -q30m
Debian-  28477  0.0  0.1  4216 1392 ?        S    13:00   0:00  \_ /usr/sbin/exim4 -bd -q30m
Debian-   5464  0.0  0.1  4216 1472 ?        S    13:00   0:00  \_ /usr/sbin/exim4 -bd -q30m
Debian-  27929  0.0  0.1 19812 1812 ?        SNs  Nov02   0:00 /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  22431  0.4  4.1 100968 43228 ?      SN   09:32   0:54  \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  13917  1.0  0.0     0    0 ?        ZN   13:00   0:00  |   \_ [MailScanner] <defunct>
Debian-  14817  0.4  4.3 101288 44620 ?      SN   09:33   0:56  \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  20952  0.4  0.0     0    0 ?        ZN   12:59   0:00  |   \_ [MailScanner] <defunct>
Debian-  21526  0.4  3.1 101236 32784 ?      SN   09:34   0:52  \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  14578  0.1  0.0     0    0 ?        ZN   12:58   0:00  |   \_ [MailScanner] <defunct>
Debian-   7329  0.4  3.3 100972 34956 ?      SN   09:34   0:57  \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  11951  0.4  0.0     0    0 ?        ZN   12:59   0:00  |   \_ [MailScanner] <defunct>
Debian-  12242  0.4  4.4 101516 45728 ?      SN   09:37   0:53  \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-   8125  3.2  0.0     0    0 ?        ZN   13:00   0:00  |   \_ [MailScanner] <defunct>
Debian-  11153  0.4  3.5 101060 36244 ?      SN   09:38   0:49  \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  15171  0.1  0.0     0    0 ?        ZN   12:59   0:00  |   \_ [MailScanner] <defunct>
Debian-  21361  0.4  3.5 101292 36932 ?      SN   09:40   0:50  \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  14892  0.3  0.0     0    0 ?        ZN   12:59   0:00  |   \_ [MailScanner] <defunct>
Debian-  19138  0.4  3.4 101004 35320 ?      SN   09:42   0:56  \_ /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner
Debian-  29730  0.2  0.0     0    0 ?        ZN   12:59   0:00      \_ [MailScanner] <defunct>
root     23052  0.0  0.0  1544  600 ?        Ss   Nov02   1:58 /sbin/syslogd
mailgw:/#


But then I go to a completely unrelated chroot (which is not active at all!!! but
/proc is binded there). I can not see any syslogd or exim, but I can see some
of the MailScanner processes:

mailgw:/usr/src/patches# mount
/dev/hda5 on / type reiserfs (rw)
proc on /proc type proc (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,size=0)
/dev/hda1 on /boot type reiserfs (rw)
/dev/nb1 on /beta type reiserfs (rw,acl)
/proc on /beta/newscanner/proc type none (rw,bind)
/proc on /beta/mail/proc type none (rw,bind)
mailgw:/usr/src/patches# chroot /beta/newscanner/
mailgw:/# ps axuf
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
Debian-  31550  0.5  0.0     0    0 ?        ZN   12:36   0:00 [MailScanner] <defunct>
Debian-  22517  0.5  0.0     0    0 ?        ZN   12:36   0:00 [MailScanner] <defunct>
Debian-  26787  1.0  0.0     0    0 ?        ZN   12:36   0:00 [MailScanner] <defunct>
Debian-  15528  0.6  0.0     0    0 ?        ZN   12:36   0:00 [MailScanner] <defunct>
Debian-   8520  0.2  0.0     0    0 ?        ZN   12:35   0:00 [MailScanner] <defunct>
root     21227  0.0  0.1  2560 1356 ?        S    12:36   0:00 /bin/bash -i
root     27754  0.0  0.0  2476  820 ?        R+   12:36   0:00  \_ ps axuf
Debian-  26589  0.6  0.0     0    0 ?        ZN   12:36   0:00 [MailScanner] <defunct>
Debian-  16183  0.9  0.0     0    0 ?        ZN   12:36   0:00 [MailScanner] <defunct>
mailgw:/# exit


Any ideas why does it happen and how to correct this?

Thanks,
Dmitry

More information about the grsecurity mailing list