Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[solved]grsec: "denied untrusted exec" but I am in the group
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3744
Location: Hamburg
PostPosted: Thu Dec 11, 2014 11:06 am    Post subject: [solved]grsec: "denied untrusted exec" but I am in Reply with quote
or ?

This is the message :
Code:
Dec 11 11:27:21 tor-relay kernel: grsec: From 80.171.150.25: denied untrusted exec (due to being in untrusted group and file in non-root-owned directory) of /home/tfoerste/mask by /home/tfoerste/mask[bash:26398] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:26101] uid/euid:1000/1000 gid/egid:1000/1000

Here's the group:
Code:
# zgrep CONFIG_GRKERNSEC_TPE_GID /proc/config.gz
CONFIG_GRKERNSEC_TPE_GID=100
and I do belong to :
Code:
# id tfoerste
uid=1000(tfoerste) gid=1000(tfoerste) groups=1000(tfoerste),10(wheel),18(audio),100(users),250(portage),16(cron),120(crontab),1002(fate),1003(tinderbox)

Update: hhm, b/c teh same works at a hardened system with CONFIG_GRKERNSEC_CONFIG_DESKTOP=y I do assume, it has something to do with CONFIG_GRKERNSEC_CONFIG_SERVER=y and CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=100 ?

Last edited by toralf on Thu Dec 11, 2014 4:18 pm; edited 1 time in total
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6299
PostPosted: Thu Dec 11, 2014 3:09 pm    Post subject: Reply with quote
It may be that TPE is inverted, that is that you are subject to the restricion only if you are a member of GID=100.
I forgot the name of htis kernel option (something with "INVERT" probably).

Last edited by mv on Thu Dec 11, 2014 3:22 pm; edited 1 time in total
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3744
Location: Hamburg
PostPosted: Thu Dec 11, 2014 3:21 pm    Post subject: Reply with quote
CONFIG_GRKERNSEC_TPE_INVERT - yep, that was it, but if I choosed that, I got much more new trouble at other places than before, ok, so I have to prepend my shell script calls with /bin/sh and it works
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2020 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy