View previous topic :: View next topic |
Author |
Message |
plice Tux's lil' helper
Joined: 09 Nov 2009 Posts: 84 Location: Poland
|
Posted: Tue Mar 25, 2014 6:25 am Post subject: grsec denied RWX - plex |
|
|
Hi,
I've installed plex from overlay and tried to run it, but it crashes:
[1010112.246172] grsec: From xx.xxx.xx: denied RWX mprotect of <anonymous mapping> by /usr/lib/plexmediaserver/Plex Media Server[Plex Media Serv:5990] uid/euid:110/110 gid/egid:103/103, parent /usr/sbin/start_pms[start_pms:5989] uid/euid:110/110 gid/egid:103/103
How do I fix it?
Thank you. |
|
Back to top |
|
|
Tractor Girl Apprentice
Joined: 16 May 2013 Posts: 159
|
Posted: Tue Mar 25, 2014 11:39 am Post subject: |
|
|
Try to disable mprotect for the binary that causes the problem:
Code: | paxctl-ng -m /usr/bin/some_binary |
This decreases protection, but with some poorly writen programs there's no other choice. |
|
Back to top |
|
|
SirRobin2318 Apprentice
Joined: 24 Apr 2004 Posts: 241 Location: Strasbourg, france.
|
Posted: Tue Mar 25, 2014 12:18 pm Post subject: |
|
|
I haven't used grsec in a looong while, so I'm genuinely asking the question: did you run gradm in learn mode and run plex?
I know gradm will generate the rbac rules for file access, curious to know if it would also detect that the program needs a stack with write & execute. |
|
Back to top |
|
|
plice Tux's lil' helper
Joined: 09 Nov 2009 Posts: 84 Location: Poland
|
Posted: Wed Mar 26, 2014 1:51 pm Post subject: |
|
|
Hi,
yes, i've tried -m option and i did the 'learning' process. Still got issues. I think it's actually plex and not the pax :/
edit:
looks like plex doesn't have headers " If you run grsecurity you're going to need to create new headers and except them otherwise you'll run into all sorts of library update issues." few ppl managed to get around it.
Any help would be useful
thank you
Last edited by plice on Wed Mar 26, 2014 2:10 pm; edited 1 time in total |
|
Back to top |
|
|
SirRobin2318 Apprentice
Joined: 24 Apr 2004 Posts: 241 Location: Strasbourg, france.
|
Posted: Wed Mar 26, 2014 2:01 pm Post subject: |
|
|
You could try to build a kernel without grsec to see if plex is the sole issue. |
|
Back to top |
|
|
plice Tux's lil' helper
Joined: 09 Nov 2009 Posts: 84 Location: Poland
|
Posted: Wed Mar 26, 2014 2:28 pm Post subject: |
|
|
got it.
It doesn't have headers, BUT paxctl -c /bin/path will create them
then paxctl -m /bin/path
I had to do for all of the following files (maybe it will help somebody else):
in /usr/lib/plexmediaserver
Plex DLNA Server
Plex Media Scanner
Plex Media Server
and
/usr/lib/plexmediaserver/Resources
Plex New Transcoder
Plex Transcoder
Plex Installed versions: 0.9.9.7^m is up and running (well at least it the process starts up and the webui works, dunno if it all will work)
thnx guys
Edit:
had to do /usr/lib/plexmediaserver/Resources/Python/bin/python as well, otherwise it won't set libraries.
I've tested the server with a TV ... works like charm |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Thu Mar 27, 2014 1:39 am Post subject: |
|
|
As Tractor Girl noted, this is a possibly intentional defect in Plex. Running a process with RWX mappings is never a good idea for security, so if possible, this should be changed not to require a RWX mapping. |
|
Back to top |
|
|
Tractor Girl Apprentice
Joined: 16 May 2013 Posts: 159
|
|
Back to top |
|
|
|