---
I was thinking I should post my tiny investigation into a small jacksum java program apparent misbehavior, as it is a textbook example of the goodness of grsecurity's logging, even though I only later in my thinking, and still without certainty, changed the direction of where to search for solution on this issue (and finally solved it in unpredictable way, for me).
- Code: Select all
# equery k jacksum
* Checking app-crypt/jacksum-1.7.0 ...
14 out of 14 files passed
# equery k youtube-dl
* Checking net-misc/youtube-dl-2016.07.13 ...
3759 out of 3759 files passed
# equery k java-config
* Checking dev-java/java-config-2.2.0-r3 ...
101 out of 101 files passed
#
( see below why java-config, near the 'equery b' string )
And yet:
- Code: Select all
$ cd /Cmn/src/ && jacksum -V summary -a sha256 -r -d -f -m ./ > /Cmn/src/src_$(date +%y%m%d_%H%M)_g5n &
[1] 5115
$ /usr/bin/gjl: unable to resolve symlink /usr/bin/../lib/python-exec/python-exec2: No such file or directory.
Couldn't get needed information
[1]+ Exit 1 cd /Cmn/src/ && jacksum -V summary -a sha256 -r -d -f -m ./ > /Cmn/src/src_$(date +%y%m%d_%H%M)_g5n
$
In the logs:
- Code: Select all
Jul 20 21:40:22 g0n kernel: [10964.152317] grsec: (miro:U:/bin/bash) chdir to
/Cmn/src by /bin/bash[bash:5115] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/bash[bash:4487] uid/euid:1000/1000 gid/egid:1000/1000
Jul 20 21:40:22 g0n kernel: [10964.153263] grsec: (miro:U:/) exec of /bin/date
(date +%y%m%d_%H%M ) by /bin/date[bash:5117] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:5116] uid/euid:1000/1000
gid/egid:1000/1000
Jul 20 21:40:22 g0n kernel: [10964.154196] grsec: (miro:U:/) exec of
/usr/bin/jacksum (jacksum -V summary -a sha256 -r -d -f -m ./ ) by
/usr/bin/jacksum[bash:5116] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/bash[bash:5115] uid/euid:1000/1000 gid/egid:1000/1000
Jul 20 21:40:22 g0n kernel: [10964.156972] grsec: (miro:U:/usr/bin/youtube-dl)
exec of /usr/lib64/python-exec/python-exec2 (gjl --package jacksum --get-args
--get-jar jacksum.jar --get-vm ) by
/usr/lib64/python-exec/python-exec2[jacksum:5119] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/jacksum[jacksum:5118] uid/euid:1000/1000
gid/egid:1000/1000
Jul 20 21:40:22 g0n kernel: [10964.157373] grsec: (miro:U:/usr/bin/youtube-dl)
denied access to hidden file /usr/lib64/python-exec/python-exec2 by
/usr/lib64/python-exec/python-exec2[gjl:5119] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/jacksum[jacksum:5118] uid/euid:1000/1000
gid/egid:1000/1000
- Code: Select all
# equery b /usr/bin/gjl
* Searching for /usr/bin/gjl ...
dev-java/java-config-2.2.0-r3 (/usr/bin/gjl -> ../lib/python-exec/python-exec2)
#
And there is where the trouble is starting:
- Code: Select all
$ gjl --package jacksum --get-args --get-jar jacksum.jar --get-vm
/usr/bin/gjl: unable to resolve symlink /usr/bin/../lib/python-exec/python-exec2: No such file or directory.
$
In the logs that expands to:
- Code: Select all
Jul 21 01:22:00 g0n kernel: [24264.114892] grsec: (miro:U:/usr/bin/youtube-dl)
exec of /usr/lib64/python-exec/python-exec2 (gjl --package jacksum --get-args
--get-jar jacksum.jar --get-vm ) by
/usr/lib64/python-exec/python-exec2[bash:5781] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:4487] uid/euid:1000/1000
gid/egid:1000/1000
Jul 21 01:22:00 g0n kernel: [24264.116630] grsec: (miro:U:/usr/bin/youtube-dl)
denied access to hidden file /usr/lib64/python-exec/python-exec2 by
/usr/lib64/python-exec/python-exec2[gjl:5781] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:4487] uid/euid:1000/1000
gid/egid:1000/1000
But that is the same as further above. Already seen.
Is it youtube-dl? Because the othe two packages have been around for months and: no issues...
- Code: Select all
# ls -l /usr/portage/net-misc/youtube-dl/
total 120
-rw-r--r-- 1 portage portage 19460 2016-07-15 11:44 ChangeLog
-rw-r--r-- 1 portage portage 75434 2015-11-09 05:11 ChangeLog-2015
-rw-r--r-- 1 portage portage 3826 2016-07-15 11:44 Manifest
-rw-r--r-- 1 portage portage 218 2016-05-21 17:35 metadata.xml
-rw-r--r-- 1 portage portage 2185 2016-01-17 18:01 youtube-dl-2016.01.01.ebuild
-rw-r--r-- 1 portage portage 2332 2016-07-11 06:59 youtube-dl-2016.07.11.ebuild
-rw-r--r-- 1 portage portage 2332 2016-07-15 07:54 youtube-dl-2016.07.13.ebuild
-rw-r--r-- 1 portage portage 914 2015-12-26 12:24 youtube-dl-99999999.ebuild
#
It appears to be in constant development though:
- Code: Select all
# ls -ltr var/log/portage_logs/ | grep -E 'jacksum|youtube-dl|java-config-[0-9]'
-rw-rw---- 1 portage portage 140291 2016-04-02 00:32 net-misc:youtube-dl-2016.01.14:20160401-223221.log
-rw-rw---- 1 portage portage 352590 2016-04-02 00:32 net-misc:youtube-dl-2016.03.27:20160401-223154.log
-rw-rw---- 1 portage portage 7619 2016-04-02 02:45 dev-java:java-config-2.2.0:20160402-004535.log
-rw-rw---- 1 portage portage 35679 2016-04-02 02:45 dev-java:java-config-2.2.0-r3:20160402-004522.log
-rw-rw---- 1 portage portage 150022 2016-04-02 05:52 net-misc:youtube-dl-2016.03.27:20160402-035247.log
-rw-rw---- 1 portage portage 389758 2016-04-02 05:52 net-misc:youtube-dl-2016.03.27:20160402-035216.log
-rw-rw---- 1 portage portage 178197 2016-05-02 18:57 net-misc:youtube-dl-2016.03.27:20160502-165746.log
-rw-rw---- 1 portage portage 416927 2016-05-02 18:57 net-misc:youtube-dl-2016.04.24:20160502-165715.log
-rw-rw---- 1 portage portage 175851 2016-06-04 07:23 net-misc:youtube-dl-2016.04.24:20160604-052351.log
-rw-rw---- 1 portage portage 419719 2016-06-04 07:23 net-misc:youtube-dl-2016.06.02:20160604-052319.log
-rw-rw---- 1 portage portage 181625 2016-06-24 17:04 net-misc:youtube-dl-2016.06.02:20160624-150405.log
-rw-rw---- 1 portage portage 430924 2016-06-24 17:04 net-misc:youtube-dl-2016.06.23.1:20160624-150332.log
-rw-rw---- 1 portage portage 185691 2016-07-07 21:26 net-misc:youtube-dl-2016.06.23.1:20160707-192604.log
-rw-rw---- 1 portage portage 439674 2016-07-07 21:26 net-misc:youtube-dl-2016.07.01:20160707-192529.log
-rw-rw---- 1 portage portage 184750 2016-07-20 12:27 net-misc:youtube-dl-2016.07.01:20160720-102720.log
-rw-rw---- 1 portage portage 1172735 2016-07-20 12:27 net-misc:youtube-dl-2016.07.13:20160720-102650.log
#
(and I could probably look further back in my archives if need be)
My new entries in package.mask:
- Code: Select all
=net-misc/youtube-dl-2016.07.11
=net-misc/youtube-dl-2016.07.13
emerge -tuDN youtube-dl
...
But to no avail. Same error, same lines in the logs.
Next I try:
- Code: Select all
# emerge -1 jacksum
(A reminder:
- Code: Select all
$ gjl --package jacksum --get-args --get-jar jacksum.jar --get-vm
/usr/bin/gjl: unable to resolve symlink /usr/bin/../lib/python-exec/python-exec2: No such file or directory.
$
)
- Code: Select all
# emerge -1 java-config
...
(The reminder would be the same.)
But let's make a variant of it:
- Code: Select all
$ jacksum
/usr/bin/gjl: unable to resolve symlink /usr/bin/../lib/python-exec/python-exec2: No such file or directory.
Couldn't get needed information
$
And in the logs:
- Code: Select all
Jul 21 01:55:24 g0n kernel: [26268.552369] grsec: (miro:U:/) exec of
/usr/bin/jacksum (jacksum ) by /usr/bin/jacksum[bash:10751] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:8223] uid/euid:1000/1000
gid/egid:1000/1000
Jul 21 01:55:24 g0n kernel: [26268.561737] grsec: (miro:U:/usr/bin/youtube-dl)
exec of /usr/lib64/python-exec/python-exec2 (gjl --package jacksum --get-args
--get-jar jacksum.jar --get-vm ) by
/usr/lib64/python-exec/python-exec2[jacksum:10753] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/jacksum[jacksum:10752] uid/euid:1000/1000
gid/egid:1000/1000
Jul 21 01:55:24 g0n kernel: [26268.562306] grsec: (miro:U:/usr/bin/youtube-dl)
denied access to hidden file /usr/lib64/python-exec/python-exec2 by
/usr/lib64/python-exec/python-exec2[gjl:10753] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/jacksum[jacksum:10752] uid/euid:1000/1000
gid/egid:1000/1000
And, more tries... As root:
- Code: Select all
# jacksum
Jacksum v1.7.0, Copyright (C) 2002-2006, Dipl.-Inf. (FH) Johann N. Loefflmann
Jacksum comes with ABSOLUTELY NO WARRANTY; for details see 'license.txt'.
This is free software, and you are welcome to redistribute it under certain
conditions; see 'license.txt' for details.
This software is OSI Certified Open Source Software.
OSI Certified is a certification mark of the Open Source Initiative.
Go to http://www.jonelo.de/java/jacksum/index.html to get the latest version.
For more information please type:
java -jar jacksum.jar -h en
Fuer weitere Informationen bitte eingeben:
java -jar jacksum.jar -h de
#
- Code: Select all
# cd /Cmn/src/
# jacksum -V summary -a sha256 -r -d -f -m > ../src_$(date +%y%m%d_%H%M)_g5n &
[1] 10835
#
Working!
What is the matter here?
It did the work. I just (was quite a bunch in that directory to calculate) got out:
- Code: Select all
#
Jacksum: processed directories: 30397
Jacksum: directory read errors: 0
Jacksum: processed files: 134149
Jacksum: processed bytes: 1046008366
Jacksum: file read errors: 0
Jacksum: elapsed time: 0 d, 0 h, 1 m, 34 s, 714 ms
[1]+ Done jacksum -V summary -a sha256 -r -d -f -m > ../src_$(date +%y%m%d_%H%M)_g5n
#
Just to have more complete insight, here are the corresponding lines in the syslog:
- Code: Select all
Jul 21 02:05:20 g0n kernel: [26864.109187] grsec: (admin:S:/) exec of
/usr/bin/jacksum (jacksum ) by /usr/bin/jacksum[bash:10811] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:3882] uid/euid:0/0 gid/egid:0/0
Jul 21 02:05:20 g0n kernel: [26864.116015] grsec: (admin:S:/) exec of
/usr/lib64/python-exec/python-exec2 (gjl --package jacksum --get-args
--get-jar jacksum.jar --get-vm ) by
/usr/lib64/python-exec/python-exec2[jacksum:10815] uid/euid:0/0 gid/egid:0/0,
parent /usr/bin/jacksum[jacksum:10814] uid/euid:0/0 gid/egid:0/0
Jul 21 02:05:20 g0n kernel: [26864.116935] grsec: (admin:S:/) exec of
/usr/lib64/python-exec/python3.4/gjl (/usr/lib/python-exec/python3.4/gjl
--package jacksum --get-args --get-jar jacksum.jar --get-vm ) by
/usr/lib64/python-exec/python3.4/gjl[gjl:10815] uid/euid:0/0 gid/egid:0/0,
parent /usr/bin/jacksum[jacksum:10814] uid/euid:0/0 gid/egid:0/0
Jul 21 02:05:20 g0n kernel: [26864.178848] grsec: (admin:S:/) exec of
/usr/libexec/eselect-java/run-java-tool.bash (java -classpath
/usr/share/jacksum/lib/jacksum.jar -Djava.library.path=/lib:/usr/lib -jar
/usr/share/jacksum/lib/jacksum.jar ) by
/usr/libexec/eselect-java/run-java-tool.bash[jacksum:10811] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:3882] uid/euid:0/0 gid/egid:0/0
Jul 21 02:05:20 g0n kernel: [26864.188313] grsec: (admin:S:/) exec of
/usr/bin/which (/usr/bin/which java ) by /usr/bin/which[java:10817]
uid/euid:0/0 gid/egid:0/0, parent
/usr/libexec/eselect-java/run-java-tool.bash[java:10816] uid/euid:0/0
gid/egid:0/0
Jul 21 02:05:20 g0n kernel: [26864.190255] grsec: (admin:S:/) exec of
/opt/icedtea-bin-3.0.1/bin/java (/opt/icedtea-bin-3.0.1/bin/java -classpath
/usr/share/jacksum/lib/jacksum.jar -Djava.library.path=/lib:/usr/lib -jar
/usr/share/) by /opt/icedtea-bin-3.0.1/bin/java[java:10811] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:3882] uid/euid:0/0 gid/egid:0/0
Jul 21 02:05:20 g0n kernel: [26864.199119] grsec: (admin:S:/) chdir to
/tmp/hsperfdata_root by /opt/icedtea-bin-3.0.1/bin/java[java:10818]
uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3882] uid/euid:0/0
gid/egid:0/0
Jul 21 02:05:20 g0n kernel: [26864.199278] grsec: (admin:S:/) chdir to /root
by /opt/icedtea-bin-3.0.1/bin/java[java:10818] uid/euid:0/0 gid/egid:0/0,
parent /bin/bash[bash:3882] uid/euid:0/0 gid/egid:0/0
Jul 21 02:05:20 g0n kernel: [26864.199491] grsec: (admin:S:/) chdir to
/tmp/hsperfdata_root by /opt/icedtea-bin-3.0.1/bin/java[java:10818]
uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3882] uid/euid:0/0
gid/egid:0/0
Jul 21 02:05:20 g0n kernel: [26864.199607] grsec: (admin:S:/) chdir to /root
by /opt/icedtea-bin-3.0.1/bin/java[java:10818] uid/euid:0/0 gid/egid:0/0,
parent /bin/bash[bash:3882] uid/euid:0/0 gid/egid:0/0
Jul 21 02:05:29 g0n kernel: [26873.394298] grsec: (admin:S:/) exec of /bin/cat
(cat ) by /bin/cat[bash:10832] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:3882] uid/euid:0/0 gid/egid:0/0
Jul 21 02:05:49 g0n kernel: [26893.163678] grsec: (admin:S:/) chdir to
/Cmn/src by /bin/bash[bash:5008] uid/euid:0/0 gid/egid:0/0, parent
/usr/bin/urxvt[urxvt:5004] uid/euid:0/0 gid/egid:0/0
Jul 21 02:06:19 g0n kernel: [26922.829638] grsec: (admin:S:/) exec of
/bin/date (date +%y%m%d_%H%M ) by /bin/date[bash:10836] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:10835] uid/euid:0/0 gid/egid:0/0
Jul 21 02:06:19 g0n kernel: [26922.832758] grsec: (admin:S:/) exec of
/usr/bin/jacksum (jacksum -V summary -a sha256 -r -d -f -m ) by
/usr/bin/jacksum[bash:10835] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:5008] uid/euid:0/0 gid/egid:0/0
Jul 21 02:06:19 g0n kernel: [26922.838478] grsec: (admin:S:/) exec of
/usr/lib64/python-exec/python-exec2 (gjl --package jacksum --get-args
--get-jar jacksum.jar --get-vm ) by
/usr/lib64/python-exec/python-exec2[jacksum:10840] uid/euid:0/0 gid/egid:0/0,
parent /usr/bin/jacksum[jacksum:10839] uid/euid:0/0 gid/egid:0/0
Jul 21 02:06:19 g0n kernel: [26922.839218] grsec: (admin:S:/) exec of
/usr/lib64/python-exec/python3.4/gjl (/usr/lib/python-exec/python3.4/gjl
--package jacksum --get-args --get-jar jacksum.jar --get-vm ) by
/usr/lib64/python-exec/python3.4/gjl[gjl:10840] uid/euid:0/0 gid/egid:0/0,
parent /usr/bin/jacksum[jacksum:10839] uid/euid:0/0 gid/egid:0/0
Jul 21 02:06:19 g0n kernel: [26922.898653] grsec: (admin:S:/) exec of
/usr/libexec/eselect-java/run-java-tool.bash (java -classpath
/usr/share/jacksum/lib/jacksum.jar -Djava.library.path=/lib:/usr/lib -jar
/usr/share/jacksum/lib/jacksum.jar -V ) by
/usr/libexec/eselect-java/run-java-tool.bash[jacksum:10835] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:5008] uid/euid:0/0 gid/egid:0/0
Jul 21 02:06:19 g0n kernel: [26922.907169] grsec: (admin:S:/) exec of
/usr/bin/which (/usr/bin/which java ) by /usr/bin/which[java:10842]
uid/euid:0/0 gid/egid:0/0, parent
/usr/libexec/eselect-java/run-java-tool.bash[java:10841] uid/euid:0/0
gid/egid:0/0
Jul 21 02:06:19 g0n kernel: [26922.908723] grsec: (admin:S:/) exec of
/opt/icedtea-bin-3.0.1/bin/java (/opt/icedtea-bin-3.0.1/bin/java -classpath
/usr/share/jacksum/lib/jacksum.jar -Djava.library.path=/lib:/usr/lib -jar
/usr/share/) by /opt/icedtea-bin-3.0.1/bin/java[java:10835] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:5008] uid/euid:0/0 gid/egid:0/0
Jul 21 02:06:19 g0n kernel: [26922.919299] grsec: (admin:S:/) chdir to
/tmp/hsperfdata_root by /opt/icedtea-bin-3.0.1/bin/java[java:10843]
uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5008] uid/euid:0/0
gid/egid:0/0
Jul 21 02:06:19 g0n kernel: [26922.919458] grsec: (admin:S:/) chdir to
/Cmn/src by /opt/icedtea-bin-3.0.1/bin/java[java:10843] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:5008] uid/euid:0/0 gid/egid:0/0
Jul 21 02:06:19 g0n kernel: [26922.919568] grsec: (admin:S:/) chdir to
/tmp/hsperfdata_root by /opt/icedtea-bin-3.0.1/bin/java[java:10843]
uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5008] uid/euid:0/0
gid/egid:0/0
Jul 21 02:06:19 g0n kernel: [26922.919677] grsec: (admin:S:/) chdir to
/Cmn/src by /opt/icedtea-bin-3.0.1/bin/java[java:10843] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:5008] uid/euid:0/0 gid/egid:0/0
And jacksum did the work. As admin, though. So it may be a grsecurity's GRADM permissions issue.
As admin. And this issue has popped up only after yesterday's update of my Gentoo ~amd64 system.
A permission issue? But I can't do much about it with the upstream really, other than seek advice from be it advanced grsecurity users who read this or further above. Because...
Because, in my testing (~amd64) Gentoo, the hardened kernel sources:
- Code: Select all
# ls -l /usr/portage/sys-kernel/hardened-sources/ | grep hardened
-rw-r--r-- 1 portage portage 1273 2016-02-20 08:51 hardened-sources-4.3.3-r4.ebuild
-rw-r--r-- 1 portage portage 1273 2016-02-28 20:39 hardened-sources-4.4.2.ebuild
-rw-r--r-- 1 portage portage 1273 2016-04-30 19:51 hardened-sources-4.4.8-r1.ebuild
-rw-r--r-- 1 portage portage 1275 2016-06-28 13:39 hardened-sources-4.5.7-r5.ebuild
-rw-r--r-- 1 portage portage 1275 2016-07-12 21:10 hardened-sources-4.6.4.ebuild
#
are regularly updated;
and I have these installed:
- Code: Select all
# equery l hardened-sources
* Searching for hardened-sources ...
[I--] [??] sys-kernel/hardened-sources-4.5.7-r3:4.5.7-r3
[I--] [??] sys-kernel/hardened-sources-4.5.7-r7:4.5.7-r7
[IP-] [ ] sys-kernel/hardened-sources-4.6.4:4.6.4
#
, but the gradm utility:
- Code: Select all
# ls -l /usr/portage/sys-apps/gradm/ | grep gradm
-rw-r--r-- 1 portage portage 1081 2016-03-16 07:50 gradm-3.1.201507191652.ebuild
-rw-r--r-- 1 portage portage 1094 2016-05-26 10:17 gradm-3.1.201603152148.ebuild
#
is not. And I suspect that maybe I should try and install a more up-to-date testing (free) gradm, first.
And also, if that is the case, since the Gentoo maintainers had explicitly asked for feedback on grsec-hardened (when it went stable-is-non-free)... [also] do provide some feedback to them...
That could be a lot of work (a lot of other work of mine to leave waiting in the queue for longer).
However, I don't believe to be safe online without a properly hardened system. To go the NSA Linux (oh I meant the SELinux) way maybe? Like somewhere I listened to even Linus recommending? Ts, ts!
I'll see what I can do to present this case, and if I can try and get a bug presented to Gentoo Hardened team, for simply the gradm utility left without maintainers' "love"...
Bugs a getting galore in Gentoo, just to present a more complete picture. Close to 100 opened (one is mine), I read just yesterday on the gentoo-dev... And there're other issues with Gentoo, too much outside the scope of this topic to tell about them.
Another post, else it'll be too unreadable.
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)