[grsec] TPE - Apache want to run a picture ?

Gabor Vincze vincze.gabor at interware.co.hu
Thu May 5 04:31:08 EDT 2005


Hey All,

	I've tried this Trusted Path Execution stuff on one of our servers.
I've put www-data group into the untrusted group to prevent attackers
running their scripts being uploaded via some php bugs etc. ...
After turning on TPE, I received a lot of messages like:

grsec: From xx.xxx.184.13: denied executable mmap
of /var/www/xxxx.com/images/spacer.gif
by /usr/sbin/apache-ssl[apache-ssl:257] uid/euid:33/33 gid/egid:33/33,
parent /usr/sbin/apache-ssl[apache-ssl:14121] uid/euid:0/0 gid/egid:0/0
grsec: From xx.xxx.184.13: denied untrusted exec
of /var/www/xxxx.com/images/top.jpg
by /usr/sbin/apache-ssl[apache-ssl:257] uid/euid:33/33 gid/egid:33/33,
parent /usr/sbin/apache-ssl[apache-ssl:14121] uid/euid:0/0 gid/egid:0/0
grsec: From xx.xxx.184.13: denied executable mmap
of /var/www/xxxx.com/images/top.jpg
by /usr/sbin/apache-ssl[apache-ssl:257] uid/euid:33/33 gid/egid:33/33,
parent /usr/sbin/apache-ssl[apache-ssl:14121] uid/euid:0/0 gid/egid:0/0
grsec: From xx.xxx.184.13: denied untrusted exec
of /var/www/xxxx.com/images/narancs_off.gif
by /usr/sbin/apache-ssl[apache-ssl:19805] uid/euid:33/33 gid/egid:33/33,
parent /usr/sbin/apache-ssl[apache-ssl:14121] uid/euid:0/0 gid/egid:0/0
grsec: From xx.xxx.184.13: denied executable mmap
of /var/www/xxxx.com/images/narancs_off.gif
by /usr/sbin/apache-ssl[apache-ssl:19805] uid/euid:33/33 gid/egid:33/33,
parent /usr/sbin/apache-ssl[apache-ssl:14121] uid/euid:0/0 gid/egid:0/0
grsec: From xx.xxx.184.13: denied untrusted exec of /var/www/xxxx.com
/images/piros_off.gif by /usr/sbin/apache-ssl[apache-ssl:19805]
uid/euid:33/33 gid/egid:33/33,
parent /usr/sbin/apache-ssl[apache-ssl:14121] uid/euid:0/0 gid/egid:0/0
grsec: more alerts, logging disabled for 5 seconds

	Think I don't understand how apache works, any idea what the hack is
this?

		Thx and regards,

			Vincus


-- 
-----------------------------------------
Vincze Gabor
rendszermernok
Interware Rt.
H-1132 Budapest, Victor Hugo u. 18-22.
Tel: (1) 452-5300, 06-40-200-166
Mobil: (06-30) 000-0000 
Fax: (1) 452-5301
Email: vincze.gabor at interware.co.hu
www.interware.hu




More information about the grsecurity mailing list