[Vserver] vserver + grsec + gradm problem
Title: Message Hi, To use vserver+grsec i followed these steps: 1. Extracted new kernel from sources. 2. Patched it as described in http://www.linux-vserver.org/index.php?page=grsecurityHowto (patching was ok, with no errors). 3. Compiled that kernel. 4. Downloaded and installed gradm from grsecurity.net. Weird thing happened after i rebooted to my new kernel: # gradm -E # gradm -aPassword:Could not open /proc/sys/kernel/grsecurity/aclopen: Permission denied I have never seen this error in grsec kernel without vserver implemented. I tried to use other grsec+vs patch version from repository of other developer. This patch is called linux-2.4.25-grsec-vs1.26. But error was the same. I tried to compile kernels several times differently choosing grsecurity's kernel settings, but all the same - 'open: Permission denied' What am i doing wrong? Maybe it'a a bug? (sorry for my poor english)
Re: [Vserver] vserver + grsec + gradm problem
On Saturday 27 March 2004 04:10, Justinas S. wrote: Hi Justinas, > Weird thing happened after i rebooted to my new kernel: > # gradm -E > # gradm -a > Password: > Could not open /proc/sys/kernel/grsecurity/acl > open: Permission denied > I have never seen this error in grsec kernel without vserver > implemented. > I tried to use other grsec+vs patch version from repository of other > developer. > This patch is called linux-2.4.25-grsec-vs1.26. But error was the same. > I tried to compile kernels several times differently choosing > grsecurity's > kernel settings, but all the same - 'open: Permission denied' > What am i doing wrong? Maybe it'a a bug? it's a bug you hit usaing vservers _and_ grsecurity's ACL subsystem. -- ciao, Marc ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver + grsec + gradm problem
Marc-Christian Petersen wrote: On Saturday 27 March 2004 04:10, Justinas S. wrote: Hi Justinas, Weird thing happened after i rebooted to my new kernel: # gradm -E # gradm -a Password: Could not open /proc/sys/kernel/grsecurity/acl open: Permission denied I have never seen this error in grsec kernel without vserver implemented. Are you running gradm in context 0? I tried to use other grsec+vs patch version from repository of other developer. This patch is called linux-2.4.25-grsec-vs1.26. But error was the same. I tried to compile kernels several times differently choosing grsecurity's kernel settings, but all the same - 'open: Permission denied' What am i doing wrong? Maybe it'a a bug? it's a bug you hit usaing vservers _and_ grsecurity's ACL subsystem. -- Sandino Araico Sánchez -- Melón se comió las plumas ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver + grsec + gradm problem
On Mon, Mar 29, 2004 at 08:02:44AM +0200, Marc-Christian Petersen wrote: > On Saturday 27 March 2004 04:10, Justinas S. wrote: > > Hi Justinas, > > > Weird thing happened after i rebooted to my new kernel: > > # gradm -E > > # gradm -a > > Password: > > Could not open /proc/sys/kernel/grsecurity/acl > > open: Permission denied > > I have never seen this error in grsec kernel without vserver > > implemented. > > I tried to use other grsec+vs patch version from repository of other > > developer. > > This patch is called linux-2.4.25-grsec-vs1.26. But error was the same. > > I tried to compile kernels several times differently choosing > > grsecurity's > > kernel settings, but all the same - 'open: Permission denied' > > What am i doing wrong? Maybe it'a a bug? > > it's a bug you hit usaing vservers _and_ grsecurity's ACL subsystem. hmm, please elaborate! > -- > ciao, Marc TIA, Herbert ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] vserver + grsec + gradm problem
Hi, I want to use gradm on main system, not in vserver, but as you can see I can't because of this error. I'm successfully running kernel with grsec + gradm, but I can't run vserver + grsec + gradm. Thanks, Justinas -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sandino Araico SÄnchez Sent: Monday, March 29, 2004 2:12 AM To: [EMAIL PROTECTED] Subject: Re: [Vserver] vserver + grsec + gradm problem Marc-Christian Petersen wrote: >On Saturday 27 March 2004 04:10, Justinas S. wrote: > >Hi Justinas, > > > >>Weird thing happened after i rebooted to my new kernel: >># gradm -E >># gradm -a >>Password: >>Could not open /proc/sys/kernel/grsecurity/acl >>open: Permission denied >>I have never seen this error in grsec kernel without vserver >>implemented. >> >> Are you running gradm in context 0? >>I tried to use other grsec+vs patch version from repository of other >>developer. This patch is called linux-2.4.25-grsec-vs1.26. But error >>was the same. I tried to compile kernels several times differently >>choosing grsecurity's >>kernel settings, but all the same - 'open: Permission denied' >>What am i doing wrong? Maybe it'a a bug? >> >> > >it's a bug you hit usaing vservers _and_ grsecurity's ACL subsystem. > > > > > -- Sandino Araico SÃnchez -- MelÃn se comià las plumas ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver + grsec + gradm problem
I was under the impression that you were not supposed to use gradm with vservers? Incompatible security format, or something? -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver + grsec + gradm problem
> I want to use gradm on main system, not in vserver, but as you can > see I can't because of this error. I'm successfully running kernel > with grsec + gradm, but I can't run vserver + grsec + gradm. and what is strange about that? (I'm trying to ride a bike, no problem here. I'm trying to drive a car, still no problem. But when I'm trying to ride a bike+car I get those mysterious erorrs). It's not that obvious how would you like to merge bike and car, same goes for grsec and vserver. You can merge those, but since functionality overlaps you have to decide either to drop one or the other in some places, or do some merging ( I used to have this car with pedals as a kid, lots of fun, wouldn't recommend it for production environment though... ) -- Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 We're giving you a new chance in life, and an opportunity to screw it up in a new, original way. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver + grsec + gradm problem
Dariush Pietrzak wrote: I want to use gradm on main system, not in vserver, but as you can see I can't because of this error. I'm successfully running kernel with grsec + gradm, but I can't run vserver + grsec + gradm. and what is strange about that? (I'm trying to ride a bike, no problem here. I'm trying to drive a car, still no problem. But when I'm trying to ride a bike+car I get those mysterious erorrs). At the patch level, grsecurity and vserver have been very mixable, I've had no other problems than the need to reduce chroot restrictions. I've been trying to reproduce Justina's problem with gradm but I can't reproduce it on context 0, It's only reproduceable inside a virtual server but in such case it's a desireable behaveour. It's not that obvious how would you like to merge bike and car, same goes for grsec and vserver. It takes ~1 hour to integrate the .rej files and the resulting patch looks clean enough. You can merge those, but since functionality overlaps you have to decide either to drop one or the other in some places, Functionality overlaps in some places like process vissibility which is filtered twice but I've seen no functionality conflicts other than desireable restrictions inside chroot. or do some merging ( I used to have this car with pedals as a kid, lots of fun, wouldn't recommend it for production environment though... ) -- Sandino Araico Sánchez -- Melón se comió las plumas ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver + grsec + gradm problem
Lucas Albers wrote: I was under the impression that you were not supposed to use gradm with vservers? The master server can enable/disable /proc/sys/kernel/grsecurity flags until /proc/sys/kernel/grsecurity/lock is turned on, the chrooted chcontexted processes inside a vps havs no permission to change /proc/sys/kernel/grsecurity flags in any time. The master server can set ACL policies, the chrooted chcontexted processes inside a vps havs no permission. Both master and chrooted chcontexted vps can change chpax flags on an elf binary. Incompatible security format, or something? -- Sandino Araico Sánchez -- Melón se comió las plumas ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] vserver + grsec + gradm problem
Hi Sandino, Thanks for your reply. Do you have any suggestions how I can solve my problem? More details: After (on main system - not vserver, after building kernel, compiling gradm and rebooting) # gradm -E # gradm -a Password: Could not open /proc/sys/kernel/grsecurity/acl open: Permission denied Kernel log shows this: Mar 30 09:31:47 alus2 kernel: grsec: From 192.168.1.2: use of CAP_SYS_ADMIN denied for (gradm:1374) UID(0) EUID(0), parent (bash:706) UID(0) EUID(0) (why it's denied? It never happens in grsec+gradm only) I used 2 different patches of vs+grsec: http://www.sandino.net/parches/vserver/linux-2.4.25-grsec-1.9.14-vserver-1.26.patch.gz http://www.firehead.org/~jeffrey/linux-vserver/grsecurity-1.9.14-2.4.25-vs1.26.patch and message was the same. Dariush Pietrzak, by your words it's imposible to use vs+grsec with gradm on main system? Why then there are some patches vs+grsec? I think it's very important to use ACL system - not only default grsec restrictions provided by kernel configuration. I DO NOT try to use gradm on vserver, just in main system. But there is a problem. That's why I am asking for help. Thanks, Justinas -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sandino Araico SÄnchez Sent: Monday, March 29, 2004 9:17 PM To: [EMAIL PROTECTED] Subject: Re: [Vserver] vserver + grsec + gradm problem Dariush Pietrzak wrote: >>I want to use gradm on main system, not in vserver, but as you can >>see I can't because of this error. I'm successfully running kernel >>with grsec + gradm, but I can't run vserver + grsec + gradm. >> >> > and what is strange about that? >(I'm trying to ride a bike, no problem here. I'm trying to drive a car, >still no problem. But when I'm trying to ride a bike+car I get those >mysterious erorrs). > > At the patch level, grsecurity and vserver have been very mixable, I've had no other problems than the need to reduce chroot restrictions. I've been trying to reproduce Justina's problem with gradm but I can't reproduce it on context 0, It's only reproduceable inside a virtual server but in such case it's a desireable behaveour. > It's not that obvious how would you like to merge bike and car, same >goes for grsec and vserver. > It takes ~1 hour to integrate the .rej files and the resulting patch looks clean enough. >You can merge those, but since functionality >overlaps you have to decide either to drop one or the other in some >places, > > Functionality overlaps in some places like process vissibility which is filtered twice but I've seen no functionality conflicts other than desireable restrictions inside chroot. >or do some merging ( I used to have this car with pedals as a kid, lots >of fun, wouldn't recommend it for production environment though... ) > > > -- Sandino Araico SÃnchez -- MelÃn se comià las plumas ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver + grsec + gradm problem
> Dariush Pietrzak, by your words it's imposible to use vs+grsec with > gradm on main system? Why then there are some patches vs+grsec? And why did I drive the car with pedals? Because it's fun. Ohn, and you get great mpg, although I never drove it more then a mile or so. -- Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 We're giving you a new chance in life, and an opportunity to screw it up in a new, original way. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver + grsec + gradm problem
Justinas S. wrote: Hi Sandino, Thanks for your reply. Do you have any suggestions how I can solve my problem? More details: After (on main system - not vserver, after building kernel, compiling gradm and rebooting) # gradm -E # gradm -a Password: Could not open /proc/sys/kernel/grsecurity/acl open: Permission denied Kernel log shows this: Mar 30 09:31:47 alus2 kernel: grsec: From 192.168.1.2: use of CAP_SYS_ADMIN denied for (gradm:1374) UID(0) EUID(0), parent (bash:706) UID(0) EUID(0) (why it's denied? It never happens in grsec+gradm only) I have not much experience with ACLs but seems like you are dropping the CAP_SYS_ADMIN cappability at some point. I used 2 different patches of vs+grsec: http://www.sandino.net/parches/vserver/linux-2.4.25-grsec-1.9.14-vserver-1.26.patch.gz http://www.firehead.org/~jeffrey/linux-vserver/grsecurity-1.9.14-2.4.25-vs1.26.patch and message was the same. -- Sandino Araico Sánchez -- Melón se comió las plumas ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] vserver + grsec + gradm problem
Heh, normaly it's not needed to add +CAP_SYS_ADMIN to gradm, even it's not needed to set up ACLs for gradm at all. Because they are added by default and /sbin/gradm record in acls will return an error reporting about double definitions of /sbin/gradm. Seems I got stuck :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sandino Araico SÄnchez Sent: Tuesday, March 30, 2004 2:27 PM To: [EMAIL PROTECTED] Subject: Re: [Vserver] vserver + grsec + gradm problem Justinas S. wrote: >Hi Sandino, > >Thanks for your reply. Do you have any suggestions how I can solve my >problem? > >More details: > >After (on main system - not vserver, after building kernel, compiling >gradm and rebooting) # gradm -E # gradm -a >Password: >Could not open /proc/sys/kernel/grsecurity/acl >open: Permission denied > >Kernel log shows this: >Mar 30 09:31:47 alus2 kernel: grsec: From 192.168.1.2: use of >CAP_SYS_ADMIN denied for (gradm:1374) UID(0) EUID(0), parent (bash:706) >UID(0) EUID(0) (why it's denied? It never happens in grsec+gradm only) > > I have not much experience with ACLs but seems like you are dropping the CAP_SYS_ADMIN cappability at some point. >I used 2 different patches of vs+grsec: >http://www.sandino.net/parches/vserver/linux-2.4.25-grsec-1.9.14-vserver-1.26.patch.gz >http://www.firehead.org/~jeffrey/linux-vserver/grsecurity-1.9.14-2.4.25-vs1.26.patch >and message was the same. > > > >> >> > > > > -- Sandino Araico SÃnchez -- MelÃn se comià las plumas ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
