From: Justinas S. (pollar_at_alus.dokeda.lt)
Date: Tue 30 Mar 2004 - 18:48:17 BST
Hi Sandino,
Thanks for your reply. Do you have any suggestions how I can
solve my problem?
More details:
After (on main system - not vserver, after building kernel, compiling gradm and rebooting)
# gradm -E
# gradm -a
Password:
Could not open /proc/sys/kernel/grsecurity/acl
open: Permission denied
Kernel log shows this:
Mar 30 09:31:47 alus2 kernel: grsec: From 192.168.1.2: use of CAP_SYS_ADMIN denied for (gradm:1374) UID(0) EUID(0), parent (bash:706) UID(0) EUID(0)
(why it's denied? It never happens in grsec+gradm only)
I used 2 different patches of vs+grsec:
http://www.sandino.net/parches/vserver/linux-2.4.25-grsec-1.9.14-vserver-1.26.patch.gz
http://www.firehead.org/~jeffrey/linux-vserver/grsecurity-1.9.14-2.4.25-vs1.26.patch
and message was the same.
Dariush Pietrzak, by your words it's imposible to use vs+grsec with
gradm on main system? Why then there are some patches vs+grsec?
I think it's very important to use ACL system - not only default grsec
restrictions provided by kernel configuration. I DO NOT try to use
gradm on vserver, just in main system. But there is a problem. That's
why I am asking for help.
Thanks,
Justinas
-----Original Message-----
From: vserver-admin_at_list.linux-vserver.org [mailto:vserver-admin_at_list.linux-vserver.org] On Behalf Of Sandino Araico Sįnchez
Sent: Monday, March 29, 2004 9:17 PM
To: vserver_at_list.linux-vserver.org
Subject: Re: [Vserver] vserver + grsec + gradm problem
Dariush Pietrzak wrote:
>>I want to use gradm on main system, not in vserver, but as you can
>>see I can't because of this error. I'm successfully running kernel
>>with grsec + gradm, but I can't run vserver + grsec + gradm.
>>
>>
> and what is strange about that?
>(I'm trying to ride a bike, no problem here. I'm trying to drive a car,
>still no problem. But when I'm trying to ride a bike+car I get those
>mysterious erorrs....).
>
>
At the patch level, grsecurity and vserver have been very mixable, I've
had no other problems than the need to reduce chroot restrictions.
I've been trying to reproduce Justina's problem with gradm but I can't
reproduce it on context 0, It's only reproduceable inside a virtual
server but in such case it's a desireable behaveour.
> It's not that obvious how would you like to merge bike and car, same
>goes for grsec and vserver.
>
It takes ~1 hour to integrate the .rej files and the resulting patch
looks clean enough.
>You can merge those, but since functionality
>overlaps you have to decide either to drop one or the other in some
>places,
>
>
Functionality overlaps in some places like process vissibility which is
filtered twice but I've seen no functionality conflicts other than
desireable restrictions inside chroot.
>or do some merging ( I used to have this car with pedals as a kid, lots
>of fun, wouldn't recommend it for production environment though... )
>
>
>
-- Sandino Araico Sánchez -- Melón se comió las plumas...._______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver