[grsec] Terminal being sniffed

jnf jnf at nosec.net
Mon Feb 28 18:34:38 EST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just an idea- programs that don't background correctly (i.e. no setsid() /
no for ( i = 0 ; i < MAX_FD ; close(i++) ), will show up as your terminal
being sniffed because it never released control of the tty.
Chances are, if you have programs that you are running as daemons via:
/path/to/daemon &
And _they_ don't release resources correctly, then it appears to be
sniffing your terminal.

As for the specifics of named and the authend or whatnot, I couldn't tell
you- but chances are quite good thats what the problem is.

You could try to confirm this for yourself by writing a small wrapper to
your daemon that does like

int
main( ... )
{

  pid_t pid ;
  unsigned int i = 0 ;

  for( ; i < 1024 ; close(i++)) ;
  pid = fork() ;

  switch( pid ) {
      case 0:
              setsid() ;
	      /* anything else youd like to do here,
               * i.e. chroot/setreuid/etc
               */
               execve("/path/to/daemon", argv, envp);
	       exit(0);
     case -1:
	       perror("fork()");
	       return -1 ;

     default:
	       printf("child fork'd\n");
	       return 0 ;
  }
[ ... ]
}

And see if the problem disapears, which it probably will, in which case
its a problem with your daemon/the way you are starting you daemon, not a
problem with grsec- but thats just been my experience, and i suppose its
possible that its totally something else- just my 4 peso's.

jnf

- --

There are only two choices in life. You either conform the truth to your desire,
or you conform your desire to the truth. Which choice are you making?


On Mon, 28 Feb 2005, Jarek Kajdas wrote:

> Date: Mon, 28 Feb 2005 20:40:53 +0100
> From: Jarek Kajdas <amibios at wp.pl>
> To: grsecurity at grsecurity.net
> Subject: [grsec] Terminal being sniffed
>
> Hi,
>
>
>
> Example:
>
>
>
> My computer IP: 192.168.1.20 (mapped two SMB drive) Other computer IP:
> 192.168.1.3 Server IP: 192.168.1.1 (kernel 2.4.29 , grsec 2.1.1)
>
> Grsecurity: enabled
>
>
>
> When I log on first SSH terminal from 192.168.1.20 and then when trying to
> log on to the admin role I have following message:
>
>
>
> The terminal you are using is unsafe for this operation.  Use another
> terminal.
>
> DMESG:
>
> grsec: From 192.168.1.20: (root:U:/sbin/gradm) terminal being sniffed by
> IP:192.168.1.20
> /usr/local/courier/libexec/authlib/authdaemond.mysql[authdaemond.mys:25066],
>
> parent
> /usr/local/courier/libexec/authlib/authdaemond.mysql[authdaemond.mys:1918]
>
> against /sbin/gradm[gradm:475] uid/euid:0/0 gid/egid:0/0, parent
> /bin/bash[bash:16611] uid/euid:0/0 gid/egid:0/0
>
>
>
> When I log on second SSH terminal (then admin role), everything is alright
> When I close first terminal (second is still open) and then I log on (from
> 192.168.1.3) first (trying admin role) I have following message:
>
>
>
> The terminal you are using is unsafe for this operation.  Use another
> terminal.
>
>
>
> DMESG:
>
> grsec: From 192.168.1.3: (root:U:/sbin/gradm) terminal being sniffed by
> IP:192.168.1.20 /usr/sbin/named[named:13641], parent /sbin/init[init:1]
> against /sbin/gradm[gradm:3789] uid/euid:0/0 gid/egid:0/0, parent
> /bin/bash[bash:30387] uid/euid:0/0 gid/egid:0/0
>
>
>
> 3,4 SSH terminal the same effect (sometimes log messages are different),
>
> 4 terminal everything alright.
>
>
>
> I don't understand this, what is going on ?, with kernel 2.4.21, grsec
> 2.0rc2 everything was alright.
>
>
>
> DuDuS
>
>
>
>
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCI6qUHxbv0eGnlUwRAt52AJ9RqYGum+65gULQvvizXHgmfERPHgCeMguH
NY0okznmV82U1lzo6pIaX3w=
=xDf/
-----END PGP SIGNATURE-----


More information about the grsecurity mailing list