| View previous topic :: View next topic |
| Author |
Message |
shimon
n00b
Joined: 12 Mar 2005
Posts: 16
|
 Posted: Sun Sep 17, 2006 8:40 pm Post subject: grsec: denied untrusted exec of ... |
 |
|
hello,
I just migrated to kernel-2.6, I used hardened sources and grsecurity (this is my first time with both). Now I'm having problems with my system. I can't run scripts saved in my /home partion. It says:
| Code: |
grsec: denied untrusted exec of /home/***/scripts/my_script.sh by /bin/bash[bash:9402] uid/euid:502/502 gid/egid:100/100, parent /bin/bash[bash:16337] uid/euid:502/502 gid/egid:100/100
-su: /home/***/scripts/my_script.sh: /bin/bash: bad interpreter: Permission denied
|
and it's happening not only with /home resident scripts, it also happens with /usr, mailman can't use certain codecs:
| Code: |
grsec: denied untrusted exec of /usr/local/mailman/pythonlib/japanese/c/_japanese_codecs.so by /usr/bin/python2.2[python:15853] uid/euid:280/280 gid/egid:280/280, parent /usr/bin/cron[cron:32466] uid/euid:0/0 gid/egid:0/0
|
/usr is also another partition.
I tried using ``defaults'' as the fstab option to mount /home and /usr as suggested by https://forums.gentoo.org/viewtopic.php?p=873840 but it doesn't help at all. The last post of that thread comments on writing the options after user/s but I trully don't know what it means, and as it says, the options are reset to ones I don't want.
Thank you all for your help. |
|
| Back to top |
|
 |
Acronis
n00b
Joined: 09 Jun 2005
Posts: 46
|
| Posted: Tue Mar 25, 2008 9:12 am Post subject: |
|
|
| I have the same problem. Is there any solution for this problem? |
|
| Back to top |
|
|
schachti
Advocate
Joined: 28 Jul 2003
Posts: 3765
Location: Gifhorn, Germany
|
| Posted: Tue Mar 25, 2008 10:07 am Post subject: |
|
|
Did you enable CONFIG_GRKERNSEC_TPE? I think TPE is causing your problem...
_________________
Never argue with an idiot. He brings you down to his level, then beats you with experience.
How-To: Daten verschlüsselt auf DVD speichern. |
|
| Back to top |
|
|
Acronis
n00b
Joined: 09 Jun 2005
Posts: 46
|
| Posted: Wed Mar 26, 2008 11:12 am Post subject: |
|
|
yes
I have the following settings
kernel.grsecurity.tpe = 1
kernel.grsecurity.tpe_gid = 1234
What should I do now?
The user must have the same gid as the TPE gid? |
|
| Back to top |
|
|
schachti
Advocate
Joined: 28 Jul 2003
Posts: 3765
Location: Gifhorn, Germany
|
| Posted: Wed Mar 26, 2008 11:39 am Post subject: |
|
|
It depends on whether CONFIG_GRKERNSEC_TPE_ALL and/or CONFIG_GRKERNSEC_TPE_INVERT are set.
_________________
Never argue with an idiot. He brings you down to his level, then beats you with experience.
How-To: Daten verschlüsselt auf DVD speichern. |
|
| Back to top |
|
|
Acronis
n00b
Joined: 09 Jun 2005
Posts: 46
|
| Posted: Wed Mar 26, 2008 1:43 pm Post subject: |
|
|
/boot/config:CONFIG_GRKERNSEC_TPE_INVERT=y
/boot/config:CONFIG_GRKERNSEC_TPE_ALL=y
hmm |
|
| Back to top |
|
|
schachti
Advocate
Joined: 28 Jul 2003
Posts: 3765
Location: Gifhorn, Germany
|
| Posted: Wed Mar 26, 2008 2:01 pm Post subject: |
|
|
| Acronis wrote: | /boot/config:CONFIG_GRKERNSEC_TPE_INVERT=y
/boot/config:CONFIG_GRKERNSEC_TPE_ALL=y
|
In this case, your user has to be a member of the group given by the option CONFIG_GRKERNSEC_TPE_GID (1234 in your case?). This is well explained in the help text in the kernel config. 
_________________
Never argue with an idiot. He brings you down to his level, then beats you with experience.
How-To: Daten verschlüsselt auf DVD speichern. |
|
| Back to top |
|
|
Acronis
n00b
Joined: 09 Jun 2005
Posts: 46
|
| Posted: Thu Mar 27, 2008 3:31 pm Post subject: |
|
|
/etc/group
testgroup:x:1234:testuser
I have add the user testuser into the group testgroup but it doesn't work. |
|
| Back to top |
|
|
mikb
Tux's lil' helper
Joined: 14 Dec 2005
Posts: 124
Location: Sydney Australia
|
| Posted: Tue Jun 03, 2008 7:08 am Post subject: |
|
|
| Acronis wrote: | /etc/group
testgroup:x:1234:testuser
I have add the user testuser into the group testgroup but it doesn't work. |
Didn't work for me either - I had to use sysctl to change kernel.grsecurity.tpe to 0.
Then my personal scripts worked.
Someone else described this as "well explained". I don't think so. Well explained would include documentation on tuning it to allow fairly normal things - like personal scripts.
_________________
With sufficient thrust, pigs fly just fine (RFC 1925, apparently talking about Gentoo) |
|
| Back to top |
|
|
|
Networking & Security
