Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Hardened + Python 2 as normal user
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Tatsh
Apprentice
Apprentice


Joined: 22 Jul 2007
Posts: 178

PostPosted: Sat Mar 07, 2015 8:45 am    Post subject: [SOLVED] Hardened + Python 2 as normal user Reply with quote

I am getting these error when non-root:

Code:

$ python2
Python 2.7.9 (default, Mar  7 2015, 00:25:13)
[GCC 4.8.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import datetime
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ImportError: /usr/lib64/python2.7/lib-dynload/datetime.so: failed to map segment from shared object: Permission denied


Compare with Python 3 which is the system Python:

Code:

$ python
$ python
Python 3.3.5 (default, Feb 21 2015, 20:13:03)
[GCC 4.8.3] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import datetime


I thought rebuilding might have been a solution but it appears any 2.7 binary module will just not load.

From the system log:

Quote:
Mar 07 00:40:57 tatsh kernel: grsec: From 192.168.1.136: denied untrusted exec (due to being in untrusted group and file in non-root-owned directory) of /usr/lib64/python2.7/lib-dynload/datetime.so


Is there a solution besides joining the trusted group?


Last edited by Tatsh on Mon Mar 09, 2015 10:24 am; edited 1 time in total
Back to top
View user's profile Send private message
Apheus
Guru
Guru


Joined: 12 Jul 2008
Posts: 418

PostPosted: Sat Mar 07, 2015 11:39 am    Post subject: Reply with quote

Check the ownership and permissions of /usr/lib64/python2.7/lib-dynload/datetime.so

Execution of code from files/directories not writable by the user should be allowed. I have hardened-sources and TPE too, and "import datetime" works for me.

Code:
$ ls -l /usr/lib64/python2.7/lib-dynload/datetime.so
-rwxr-xr-x 1 root root 116368 28. Dez 18:35 /usr/lib64/python2.7/lib-dynload/datetime.so

$ ls -ld /usr/lib64/python2.7/lib-dynload/
drwxr-xr-x 1 root root 1484 28. Dez 18:36 /usr/lib64/python2.7/lib-dynload/
Back to top
View user's profile Send private message
Tatsh
Apprentice
Apprentice


Joined: 22 Jul 2007
Posts: 178

PostPosted: Mon Mar 09, 2015 10:20 am    Post subject: Reply with quote

Apheus wrote:
Check the ownership and permissions of /usr/lib64/python2.7/lib-dynload/datetime.so

Execution of code from files/directories not writable by the user should be allowed. I have hardened-sources and TPE too, and "import datetime" works for me.

Code:
$ ls -l /usr/lib64/python2.7/lib-dynload/datetime.so
-rwxr-xr-x 1 root root 116368 28. Dez 18:35 /usr/lib64/python2.7/lib-dynload/datetime.so

$ ls -ld /usr/lib64/python2.7/lib-dynload/
drwxr-xr-x 1 root root 1484 28. Dez 18:36 /usr/lib64/python2.7/lib-dynload/


Thanks. That fixed it. I have no idea why the ownership on
Code:
/usr/lib64/python2.7/lib-dynload/
was set to tatsh:tatsh. I set it to root:root and now no issues.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum