Permission denied while running checksec #13

asarubbo · 2015-09-13T10:10:47Z

omt ~ # ./checksec --proc-all
* System-wide ASLR (kernel.randomize_va_space): Full (Setting: 2)

  Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.
  This, among other things, implies that shared libraries will be loaded to random 
  addresses. Also for PIE-linked binaries, the location of code start is randomized.

  See the kernel file 'Documentation/sysctl/kernel.txt' for more details.

* Does the CPU support NX: Yes

         COMMAND    PID RELRO           STACK CANARY      NX/PaX        PIE                     FORTIFY
            init      1 Permission denied (please run as root)
omt ~ # whoami
root

The text was updated successfully, but these errors were encountered:

slimm609 · 2015-09-13T16:08:29Z

what distro are you running?

asarubbo · 2015-09-14T06:43:24Z

Gentoo.

slimm609 · 2015-09-14T15:41:04Z

can you do a update and try again. (either git pull or ./checksec --update)

asarubbo · 2015-09-14T15:50:13Z

same result.

slimm609 · 2015-09-14T16:28:39Z

whats the output of "id"?

slimm609 · 2015-09-14T17:27:12Z

please run "./checksec --update" then
"./checksec -d --proc init" and provide the full output. I added debugging to try and figure out why it is failing.

asarubbo · 2015-09-14T22:34:37Z

lrwxrwxrwx 1 root root 4 lug 9 03:26 /usr/bin/awk -> gawk
-rwxr-xr-x 1 root root 22384 set 13 11:04 /sbin/sysctl
lrwxrwxrwx 1 root root 10 set 13 11:34 /usr/bin/uname -> /bin/uname
lrwxrwxrwx 1 root root 11 set 13 11:34 /usr/bin/mktemp -> /bin/mktemp
-rwxr-xr-x 1 root root 578784 set 13 11:22 /usr/bin/openssl
-rwxr-xr-x 1 root root 174184 set 13 12:44 /bin/grep
-rwxr-xr-x 1 root root 79872 set 13 11:34 /usr/bin/stat
-rwxr-xr-x 1 root root 22528 set 13 10:52 /usr/bin/file
-rwxr-xr-x 1 root root 269576 set 13 12:41 /usr/bin/find
lrwxrwxrwx 1 root root 9 set 13 11:34 /usr/bin/head -> /bin/head
-rwxr-xr-x 1 root root 137328 set 13 11:04 /bin/ps
lrwxrwxrwx 1 root root 13 set 13 11:34 /usr/bin/readlink -> /bin/readlink
lrwxrwxrwx 1 root root 13 set 13 11:34 /usr/bin/basename -> /bin/basename
-rwxr-xr-x 1 root root 43008 set 13 11:34 /usr/bin/id
-rwxr-xr-x 1 root root 442248 set 13 14:05 /usr/bin/wget
-rwxr-xr-x 1 root root 190320 set 14 11:05 /usr/bin/curl
lrwxrwxrwx 1 root root 27 set 13 11:30 /usr/bin/readelf -> x86_64-pc-linux-gnu-readelf
-rwxr-xr-x 1 root root 198616 set 13 12:21 /usr/bin/eu-readelf
***function isString
* System-wide ASLR***function aslrcheck

***function aslrcheck->PAX ASLR
: PaX ASLR enabled

* Does the CPU support NX: 
***function nxcheck
Yes

         COMMAND    PID RELRO           STACK CANARY      NX/PaX        PIE                     FORTIFY
            init      1 
***function proccheck
***function proccheck->RELRO
Permission denied (please run as root)

slimm609 · 2015-09-14T22:42:11Z

are you running the grsecurity kernel with a policy enabled?

On Mon, Sep 14, 2015 at 6:34 PM, Agostino Sarubbo notifications@github.com
wrote:

lrwxrwxrwx 1 root root 4 lug 9 03:26 /usr/bin/awk -> gawk
-rwxr-xr-x 1 root root 22384 set 13 11:04 /sbin/sysctl
lrwxrwxrwx 1 root root 10 set 13 11:34 /usr/bin/uname -> /bin/uname
lrwxrwxrwx 1 root root 11 set 13 11:34 /usr/bin/mktemp -> /bin/mktemp
-rwxr-xr-x 1 root root 578784 set 13 11:22 /usr/bin/openssl
-rwxr-xr-x 1 root root 174184 set 13 12:44 /bin/grep
-rwxr-xr-x 1 root root 79872 set 13 11:34 /usr/bin/stat
-rwxr-xr-x 1 root root 22528 set 13 10:52 /usr/bin/file
-rwxr-xr-x 1 root root 269576 set 13 12:41 /usr/bin/find
lrwxrwxrwx 1 root root 9 set 13 11:34 /usr/bin/head -> /bin/head
-rwxr-xr-x 1 root root 137328 set 13 11:04 /bin/ps
lrwxrwxrwx 1 root root 13 set 13 11:34 /usr/bin/readlink -> /bin/readlink
lrwxrwxrwx 1 root root 13 set 13 11:34 /usr/bin/basename -> /bin/basename
-rwxr-xr-x 1 root root 43008 set 13 11:34 /usr/bin/id
-rwxr-xr-x 1 root root 442248 set 13 14:05 /usr/bin/wget
-rwxr-xr-x 1 root root 190320 set 14 11:05 /usr/bin/curl
lrwxrwxrwx 1 root root 27 set 13 11:30 /usr/bin/readelf ->
x86_64-pc-linux-gnu-readelf
-rwxr-xr-x 1 root root 198616 set 13 12:21 /usr/bin/eu-readelf
***function isString

System-wide ASLR***function aslrcheck

***function aslrcheck->PAX ASLR
: PaX ASLR enabled

Does the CPU support NX:
***function nxcheck
Yes
COMMAND    PID RELRO           STACK CANARY      NX/PaX        PIE                     FORTIFY
   init      1
**function proccheck **function proccheck->RELRO
Permission denied (please run as root)

—
Reply to this email directly or view it on GitHub
#13 (comment)
.

asarubbo · 2015-09-15T07:03:18Z

The first test was without grsecurity. The last test was with grsecurity.

slimm609 · 2015-09-15T14:16:40Z

can you please try again. I added some additional debug stuff. I have tried to set up a gentoo box and recreate it but on the gentoo test box it still runs without error.

asarubbo · 2015-09-15T14:56:09Z

***** Checksec debug *****
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
Linux omt 3.14.51-hardened #1 SMP PREEMPT Mon Sep 14 09:59:48 CEST 2015 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ AuthenticAMD GNU/Linux
lrwxrwxrwx 1 root root 4 lug 9 03:26 /usr/bin/awk -> gawk
-rwxr-xr-x 1 root root 474064 set 13 12:44 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 22384 set 13 11:04 /sbin/sysctl
/sbin/sysctl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
lrwxrwxrwx 1 root root 10 set 13 11:34 /usr/bin/uname -> /bin/uname
-rwxr-xr-x 1 root root 34816 set 13 11:34 /bin/uname
/bin/uname: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
lrwxrwxrwx 1 root root 11 set 13 11:34 /usr/bin/mktemp -> /bin/mktemp
-rwxr-xr-x 1 root root 42976 set 13 11:34 /bin/mktemp
/bin/mktemp: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 578784 set 13 11:22 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 174184 set 13 12:44 /bin/grep
/bin/grep: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 79872 set 13 11:34 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 22528 set 13 10:52 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 269576 set 13 12:41 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
lrwxrwxrwx 1 root root 9 set 13 11:34 /usr/bin/head -> /bin/head                                                                                                                                                                                                               
-rwxr-xr-x 1 root root 43008 set 13 11:34 /bin/head                                                                                                                                                                                                                            
/bin/head: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped                                                                                                                 
-rwxr-xr-x 1 root root 137328 set 13 11:04 /bin/ps                                                                                                                                                                                                                             
/bin/ps: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped                                                                                                                   
lrwxrwxrwx 1 root root 13 set 13 11:34 /usr/bin/readlink -> /bin/readlink                                                                                                                                                                                                      
-rwxr-xr-x 1 root root 47072 set 13 11:34 /bin/readlink                                                                                                                                                                                                                        
/bin/readlink: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped                                                                                                             
lrwxrwxrwx 1 root root 13 set 13 11:34 /usr/bin/basename -> /bin/basename                                                                                                                                                                                                      
-rwxr-xr-x 1 root root 34784 set 13 11:34 /bin/basename                                                                                                                                                                                                                        
/bin/basename: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped                                                                                                             
-rwxr-xr-x 1 root root 43008 set 13 11:34 /usr/bin/id                                                                                                                                                                                                                          
/usr/bin/id: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped                                                                                                               
-rwxr-xr-x 1 root root 442248 set 13 14:05 /usr/bin/wget                                                                                                                                                                                                                       
/usr/bin/wget: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped                                                                                                             
-rwxr-xr-x 1 root root 190320 set 14 11:05 /usr/bin/curl                                                                                                                                                                                                                       
/usr/bin/curl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped                                                                                                             
lrwxrwxrwx 1 root root 27 set 13 11:30 /usr/bin/readelf -> x86_64-pc-linux-gnu-readelf                                                                                                                                                                                         
-rwxr-xr-x 1 root root 466920 set 13 11:30 /usr/x86_64-pc-linux-gnu/binutils-bin/2.24/readelf                                                                                                                                                                                  
/usr/x86_64-pc-linux-gnu/binutils-bin/2.24/readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped                                                                        
-rwxr-xr-x 1 root root 198616 set 13 12:21 /usr/bin/eu-readelf                                                                                                                                                                                                                 
/usr/bin/eu-readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped                                                                                                       
***function isString                                                                                                                                                                                                                                                           
* System-wide ASLR***function aslrcheck                                                                                                                                                                                                                                        

***function aslrcheck->PAX ASLR                                                                                                                                                                                                                                                
: PaX ASLR enabled                                                                                                                                                                                                                                                             

* Does the CPU support NX:                                                                                                                                                                                                                                                     
***function nxcheck                                                                                                                                                                                                                                                            
Yes                                                                                                                                                                                                                                                                            

         COMMAND    PID RELRO           STACK CANARY      NX/PaX        PIE                     FORTIFY                                                                                                                                                                        
            init      1                                                                                                                                                                                                                                                        
***function proccheck                                                                                                                                                                                                                                                          
***function proccheck->RELRO                                                                                                                                                                                                                                                   
Permission denied (please run as root)

slimm609 · 2015-09-15T15:12:42Z

lets try something else to see if permission is denied by init or by readelf. try a ./checksec --proc sshd and see if that gives the permission denied error

slimm609 · 2015-09-15T15:21:53Z

please put the output of both of these and make sure you can see stuff in /proc

readelf -l "/proc/$(ps -Ao pid,comm | grep ssh | cut -b1-6 | head -1| tr -d '[[:space:]]')/exe"

readelf -l "/proc/$(ps -Ao pid,comm | grep init | cut -b1-6 | head -1| tr -d '[[:space:]]')/exe"

also the output of ./checksec --kernel

asarubbo · 2015-09-15T15:29:30Z

on --proc sshd, I get permission denied as well.

omt ~ # readelf -l "/proc/$(ps -Ao pid,comm | grep ssh | cut -b1-6 | head -1| tr -d '[[:space:]]')/exe"

Elf file type is DYN (Shared object file)                                                                                                                                                                                                                                      
Entry point 0xdda4                                                                                                                                                                                                                                                             
There are 10 program headers, starting at offset 64                                                                                                                                                                                                                            

Program Headers:                                                                                                                                                                                                                                                               
  Type           Offset             VirtAddr           PhysAddr                                                                                                                                                                                                                
                 FileSiz            MemSiz              Flags  Align                                                                                                                                                                                                           
  PHDR           0x0000000000000040 0x0000000000000040 0x0000000000000040                                                                                                                                                                                                      
                 0x0000000000000230 0x0000000000000230  R E    8                                                                                                                                                                                                               
  INTERP         0x0000000000000270 0x0000000000000270 0x0000000000000270                                                                                                                                                                                                      
                 0x000000000000001c 0x000000000000001c  R      1                                                                                                                                                                                                               
      [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]                                                                                                                                                                                                            
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000                                                                                                                                                                                                      
                 0x00000000000c5014 0x00000000000c5014  R E    200000                                                                                                                                                                                                          
  LOAD           0x00000000000c5bf8 0x00000000002c5bf8 0x00000000002c5bf8                                                                                                                                                                                                      
                 0x0000000000002f98 0x000000000000bd68  RW     200000                                                                                                                                                                                                          
  DYNAMIC        0x00000000000c7140 0x00000000002c7140 0x00000000002c7140                                                                                                                                                                                                      
                 0x0000000000000250 0x0000000000000250  RW     8                                                                                                                                                                                                               
  NOTE           0x000000000000028c 0x000000000000028c 0x000000000000028c                                                                                                                                                                                                      
                 0x0000000000000020 0x0000000000000020  R      4                                                                                                                                                                                                               
  GNU_EH_FRAME   0x00000000000b4dc0 0x00000000000b4dc0 0x00000000000b4dc0                                                                                                                                                                                                      
                 0x000000000000291c 0x000000000000291c  R      4                                                                                                                                                                                                               
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000                                                                                                                                                                                                      
                 0x0000000000000000 0x0000000000000000  RW     10                                                                                                                                                                                                              
  GNU_RELRO      0x00000000000c5bf8 0x00000000002c5bf8 0x00000000002c5bf8                                                                                                                                                                                                      
                 0x0000000000002408 0x0000000000002408  R      1                                                                                                                                                                                                               
  PAX_FLAGS      0x0000000000000000 0x0000000000000000 0x0000000000000000                                                                                                                                                                                                      
                 0x0000000000000000 0x0000000000000000         8                                                                                                                                                                                                               

 Section to Segment mapping:                                                                                                                                                                                                                                                   
  Segment Sections...                                                                                                                                                                                                                                                          
   00                                                                                                                                                                                                                                                                          
   01     .interp                                                                                                                                                                                                                                                              
   02     .interp .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame                                                                                                               
   03     .init_array .fini_array .jcr .data.rel.ro .dynamic .got .data .bss                                                                                                                                                                                                   
   04     .dynamic                                                                                                                                                                                                                                                             
   05     .note.ABI-tag                                                                                                                                                                                                                                                        
   06     .eh_frame_hdr                                                                                                                                                                                                                                                        
   07                                                                                                                                                                                                                                                                          
   08     .init_array .fini_array .jcr .data.rel.ro .dynamic .got                                                                                                                                                                                                              
   09

omt ~ # readelf -l "/proc/$(ps -Ao pid,comm | grep init | cut -b1-6 | head -1| tr -d '[[:space:]]')/exe"

Elf file type is DYN (Shared object file)
Entry point 0x2a30
There are 10 program headers, starting at offset 64

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  PHDR           0x0000000000000040 0x0000000000000040 0x0000000000000040
                 0x0000000000000230 0x0000000000000230  R E    8
  INTERP         0x0000000000000270 0x0000000000000270 0x0000000000000270
                 0x000000000000001c 0x000000000000001c  R      1
      [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000008b24 0x0000000000008b24  R E    200000
  LOAD           0x0000000000009a88 0x0000000000209a88 0x0000000000209a88
                 0x00000000000008f8 0x0000000000000b80  RW     200000
  DYNAMIC        0x0000000000009aa0 0x0000000000209aa0 0x0000000000209aa0
                 0x00000000000001f0 0x00000000000001f0  RW     8
  NOTE           0x000000000000028c 0x000000000000028c 0x000000000000028c
                 0x0000000000000020 0x0000000000000020  R      4
  GNU_EH_FRAME   0x0000000000008328 0x0000000000008328 0x0000000000008328
                 0x0000000000000144 0x0000000000000144  R      4
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RW     10
  GNU_RELRO      0x0000000000009a88 0x0000000000209a88 0x0000000000209a88
                 0x0000000000000578 0x0000000000000578  R      1
  PAX_FLAGS      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000         8

 Section to Segment mapping:
  Segment Sections...
   00     
   01     .interp 
   02     .interp .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame 
   03     .init_array .fini_array .jcr .dynamic .got .data .bss 
   04     .dynamic 
   05     .note.ABI-tag 
   06     .eh_frame_hdr 
   07     
   08     .init_array .fini_array .jcr .dynamic .got 
   09

slimm609 · 2015-09-15T15:29:54Z

also the output of ./checksec --kernel

slimm609 · 2015-09-15T15:33:08Z

readelf can read the proccesses just fine. Thats really odd, cause thats exactly what the script is doing at the point where it is throwing permission denied. Is this a physical or virtual machine?

asarubbo · 2015-09-15T15:34:07Z

* Kernel protection information:                                                                                                                                                                                                                                               

  Description - List the status of kernel protection mechanisms. Rather than                                                                                                                                                                                                   
  inspect kernel mechanisms that may aid in the prevention of exploitation of                                                                                                                                                                                                  
  userspace processes, this option lists the status of kernel configuration                                                                                                                                                                                                    
  options that harden the kernel itself against attack.                                                                                                                                                                                                                        

  Kernel config: %s                                                                                                                                                                                                                                                            

  Warning: The config on disk may not represent running kernel config!                                                                                                                                                                                                         

  Vanilla Kernel ASLR:                    Full                                                                                                                                                                                                                                 
  GCC stack protector support:            Disabled                                                                                                                                                                                                                             
  Restrict /dev/mem access:               Enabled                                                                                                                                                                                                                              
  Restrict /dev/kmem access:              Enabled                                                                                                                                                                                                                              

* Selinux:                                No SELinux                                                                                                                                                                                                                           

  SELinux infomation available here:                                                                                                                                                                                                                                           
    http://selinuxproject.org/                                                                                                                                                                                                                                                 

* grsecurity / PaX:                       Auto GRKERNSEC                                                                                                                                                                                                                       

  Non-executable kernel pages:            Enabled                                                                                                                                                                                                                              
  Non-executable pages:                   Enabled                                                                                                                                                                                                                              
  Paging Based Non-executable pages:      Enabled                                                                                                                                                                                                                              
  Restrict MPROTECT:                      Enabled                                                                                                                                                                                                                              
  Address Space Layout Randomization:     Enabled                                                                                                                                                                                                                              
  Randomize Kernel Stack:                 Enabled                                                                                                                                                                                                                              
  Randomize User Stack:                   Enabled                                                                                                                                                                                                                              
  Randomize MMAP Stack:                   Enabled                                                                                                                                                                                                                              
  Sanitize freed memory:                  Enabled                                                                                                                                                                                                                              
  Sanitize Kernel Stack:                  Enabled                                                                                                                                                                                                                              
  Prevent userspace pointer deref:        Enabled                                                                                                                                                                                                                              
  Prevent kobject refcount overflow:      Enabled                                                                                                                                                                                                                              
  Bounds check heap object copies:        Enabled                                                                                                                                                                                                                              
  JIT Hardening:                          No BPF JIT                                                                                                                                                                                                                           
  Thread Stack Random Gaps:               Enabled                                                                                                                                                                                                                              
  Disable writing to kmem/mem/port:       Enabled                                                                                                                                                                                                                              
  Disable privileged I/O:                 Enabled                                                                                                                                                                                                                              
  Harden module auto-loading:             No module support                                                                                                                                                                                                                    
  Chroot Protection:                      Enabled                                                                                                                                                                                                                              
  Deter ptrace process snooping:          Enabled                                                                                                                                                                                                                              
  Larger Entropy Pools:                   Disabled                                                                                                                                                                                                                             
  TCP/UDP Blackhole:                      Enabled                                                                                                                                                                                                                              
  Deter Exploit Bruteforcing:             Enabled                                                                                                                                                                                                                              
  Hide kernel symbols:                    Enabled

I need to investigate why gcc stack protection is reported as disabled because is enabled by default:

omt ~ # gcc -E -v - </dev/null 2>&1 | sed -n 's/.* -v - //p'
-fno-strict-overflow -mtune=generic -march=x86-64 -fPIE -fstack-protector-all -fstack-check=specific

asarubbo · 2015-09-15T15:35:27Z

that's a phisical machine.

asarubbo · 2015-09-15T15:42:24Z

If it can help, after comment the exit 1 after the message permission denied I get:

         COMMAND    PID RELRO           STACK CANARY      NX/PaX        PIE                     FORTIFY                                                                                                                                                                        
            sshd   1853 Permission denied (please run as root)                                                                                                                                                                                                                 
Permission denied      PaX enabled   Not an ELF file         Yes                                                                                                                                                                                                               
            sshd   3086 Permission denied (please run as root)                                                                                                                                                                                                                 
Permission denied      PaX enabled   Not an ELF file         Yes

And for example it works in that way:

omt ~ # ./checksec.sh --file /usr/bin/ssh
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY FORTIFIED FORTIFY-able  FILE                                                                                                                                                   
Full RELRO      Canary found      NX enabled    Not an ELF file   No RPATH   No RUNPATH   Yes   11              20      /usr/bin/ssh

So in both cases the file are not recognized as ELF.

slimm609 · 2015-09-15T15:56:31Z

update and run ./checksec -d --kernel I believe its a kernel setting but i just want to confirm

asarubbo · 2015-09-15T16:01:46Z

omt ~ # ./checksec.sh -d --kernel
***** Checksec debug *****
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
Linux omt 3.14.51-hardened #1 SMP PREEMPT Mon Sep 14 09:59:48 CEST 2015 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ AuthenticAMD GNU/Linux
lrwxrwxrwx 1 root root 4 lug 9 03:26 /usr/bin/awk -> gawk
-rwxr-xr-x 1 root root 474064 set 13 12:44 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 22384 set 13 11:04 /sbin/sysctl
/sbin/sysctl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
lrwxrwxrwx 1 root root 10 set 13 11:34 /usr/bin/uname -> /bin/uname
-rwxr-xr-x 1 root root 34816 set 13 11:34 /bin/uname
/bin/uname: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
lrwxrwxrwx 1 root root 11 set 13 11:34 /usr/bin/mktemp -> /bin/mktemp
-rwxr-xr-x 1 root root 42976 set 13 11:34 /bin/mktemp
/bin/mktemp: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 578784 set 13 11:22 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 174184 set 13 12:44 /bin/grep
/bin/grep: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 79872 set 13 11:34 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 22528 set 13 10:52 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 269576 set 13 12:41 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
lrwxrwxrwx 1 root root 9 set 13 11:34 /usr/bin/head -> /bin/head
-rwxr-xr-x 1 root root 43008 set 13 11:34 /bin/head
/bin/head: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 137328 set 13 11:04 /bin/ps
/bin/ps: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
lrwxrwxrwx 1 root root 13 set 13 11:34 /usr/bin/readlink -> /bin/readlink
-rwxr-xr-x 1 root root 47072 set 13 11:34 /bin/readlink
/bin/readlink: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
lrwxrwxrwx 1 root root 13 set 13 11:34 /usr/bin/basename -> /bin/basename
-rwxr-xr-x 1 root root 34784 set 13 11:34 /bin/basename
/bin/basename: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 43008 set 13 11:34 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 442248 set 13 14:05 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 190320 set 14 11:05 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
lrwxrwxrwx 1 root root 27 set 13 11:30 /usr/bin/readelf -> x86_64-pc-linux-gnu-readelf
-rwxr-xr-x 1 root root 466920 set 13 11:30 /usr/x86_64-pc-linux-gnu/binutils-bin/2.24/readelf
/usr/x86_64-pc-linux-gnu/binutils-bin/2.24/readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
-rwxr-xr-x 1 root root 198616 set 13 12:21 /usr/bin/eu-readelf
/usr/bin/eu-readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
* Kernel protection information:

***function kernelcheck
  Description - List the status of kernel protection mechanisms. Rather than
  inspect kernel mechanisms that may aid in the prevention of exploitation of
  userspace processes, this option lists the status of kernel configuration
  options that harden the kernel itself against attack.

  Kernel config: /usr/src/linux/.config

  Warning: The config on disk may not represent running kernel config!

CONFIG_GRKERNSEC=y CONFIG_GRKERNSEC_CONFIG_AUTO=y # CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set CONFIG_GRKERNSEC_CONFIG_SERVER=y # CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set CONFIG_GRKERNSEC_CONFIG_VIRT_NONE=y # CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set # CONFIG_GRKERNSEC_CONFIG_VIRT_HOST is not set # CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF is not set CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y CONFIG_GRKERNSEC_PROC_GID=10 CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=100 CONFIG_GRKERNSEC_SYMLINKOWN_GID=100 CONFIG_GRKERNSEC_KMEM=y CONFIG_GRKERNSEC_IO=y CONFIG_GRKERNSEC_PERF_HARDEN=y CONFIG_GRKERNSEC_RAND_THREADSTACK=y CONFIG_GRKERNSEC_PROC_MEMMAP=y CONFIG_GRKERNSEC_KSTACKOVERFLOW=y CONFIG_GRKERNSEC_BRUTE=y CONFIG_GRKERNSEC_HIDESYM=y CONFIG_GRKERNSEC_RANDSTRUCT=y # CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE is not set CONFIG_GRKERNSEC_KERN_LOCKOUT=y CONFIG_GRKERNSEC_NO_RBAC=y CONFIG_GRKERNSEC_ACL_HIDEKERN=y CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 CONFIG_GRKERNSEC_PROC=y # CONFIG_GRKERNSEC_PROC_USER is not set CONFIG_GRKERNSEC_PROC_USERGROUP=y CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_SYMLINKOWN=y CONFIG_GRKERNSEC_FIFO=y CONFIG_GRKERNSEC_SYSFS_RESTRICT=y # CONFIG_GRKERNSEC_ROFS is not set CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y CONFIG_GRKERNSEC_CHROOT_DOUBLE=y CONFIG_GRKERNSEC_CHROOT_PIVOT=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y CONFIG_GRKERNSEC_CHROOT_CHMOD=y CONFIG_GRKERNSEC_CHROOT_FCHDIR=y CONFIG_GRKERNSEC_CHROOT_MKNOD=y CONFIG_GRKERNSEC_CHROOT_SHMAT=y CONFIG_GRKERNSEC_CHROOT_UNIX=y CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_NICE=y CONFIG_GRKERNSEC_CHROOT_SYSCTL=y CONFIG_GRKERNSEC_CHROOT_RENAME=y CONFIG_GRKERNSEC_CHROOT_CAPS=y # CONFIG_GRKERNSEC_AUDIT_GROUP is not set # CONFIG_GRKERNSEC_EXECLOG is not set CONFIG_GRKERNSEC_RESLOG=y # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set # CONFIG_GRKERNSEC_AUDIT_PTRACE is not set # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set CONFIG_GRKERNSEC_SIGNAL=y # CONFIG_GRKERNSEC_FORKFAIL is not set CONFIG_GRKERNSEC_TIME=y CONFIG_GRKERNSEC_PROC_IPADDR=y CONFIG_GRKERNSEC_RWXMAP_LOG=y CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_HARDEN_PTRACE=y CONFIG_GRKERNSEC_PTRACE_READEXEC=y CONFIG_GRKERNSEC_SETXID=y CONFIG_GRKERNSEC_HARDEN_IPC=y CONFIG_GRKERNSEC_TPE=y # CONFIG_GRKERNSEC_TPE_ALL is not set # CONFIG_GRKERNSEC_TPE_INVERT is not set CONFIG_GRKERNSEC_TPE_GID=100 CONFIG_GRKERNSEC_BLACKHOLE=y CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y # CONFIG_GRKERNSEC_SOCKET is not set CONFIG_GRKERNSEC_DENYUSB=y # CONFIG_GRKERNSEC_DENYUSB_FORCE is not set CONFIG_GRKERNSEC_SYSCTL=y # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set CONFIG_GRKERNSEC_SYSCTL_ON=y CONFIG_GRKERNSEC_FLOODTIME=10 CONFIG_GRKERNSEC_FLOODBURST=6
CONFIG_PAX_KERNEXEC_PLUGIN=y CONFIG_PAX_PER_CPU_PGD=y CONFIG_PAX_USERCOPY_SLABS=y CONFIG_PAX=y # CONFIG_PAX_SOFTMODE is not set CONFIG_PAX_PT_PAX_FLAGS=y CONFIG_PAX_XATTR_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set CONFIG_PAX_HAVE_ACL_FLAGS=y # CONFIG_PAX_HOOK_ACL_FLAGS is not set CONFIG_PAX_NOEXEC=y CONFIG_PAX_PAGEEXEC=y CONFIG_PAX_EMUTRAMP=y CONFIG_PAX_MPROTECT=y # CONFIG_PAX_MPROTECT_COMPAT is not set # CONFIG_PAX_ELFRELOCS is not set CONFIG_PAX_KERNEXEC=y CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y # CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts" CONFIG_PAX_ASLR=y CONFIG_PAX_RANDKSTACK=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y CONFIG_PAX_MEMORY_SANITIZE=y CONFIG_PAX_MEMORY_STACKLEAK=y CONFIG_PAX_MEMORY_STRUCTLEAK=y CONFIG_PAX_MEMORY_UDEREF=y CONFIG_PAX_REFCOUNT=y CONFIG_PAX_CONSTIFY_PLUGIN=y CONFIG_PAX_USERCOPY=y # CONFIG_PAX_USERCOPY_DEBUG is not set CONFIG_PAX_SIZE_OVERFLOW=y CONFIG_PAX_LATENT_ENTROPY=y
  Vanilla Kernel ASLR:                    Full
  GCC stack protector support:            Disabled
  Restrict /dev/mem access:               Enabled
  Restrict /dev/kmem access:              Enabled

* Selinux:                                No SELinux

  SELinux infomation available here: 
    http://selinuxproject.org/

* grsecurity / PaX:                       Auto GRKERNSEC

  Non-executable kernel pages:            Enabled
  Non-executable pages:                   Enabled
  Paging Based Non-executable pages:      Enabled
  Restrict MPROTECT:                      Enabled
  Address Space Layout Randomization:     Enabled
  Randomize Kernel Stack:                 Enabled
  Randomize User Stack:                   Enabled
  Randomize MMAP Stack:                   Enabled
  Sanitize freed memory:                  Enabled
  Sanitize Kernel Stack:                  Enabled
  Prevent userspace pointer deref:        Enabled
  Prevent kobject refcount overflow:      Enabled
  Bounds check heap object copies:        Enabled
  JIT Hardening:                          No BPF JIT
  Thread Stack Random Gaps:               Enabled
  Disable writing to kmem/mem/port:       Enabled
  Disable privileged I/O:                 Enabled
  Harden module auto-loading:             No module support
  Chroot Protection:                      Enabled
  Deter ptrace process snooping:          Enabled
  Larger Entropy Pools:                   Disabled
  TCP/UDP Blackhole:                      Enabled
  Deter Exploit Bruteforcing:             Enabled
  Hide kernel symbols:                    Enabled

slimm609 · 2015-09-15T16:14:38Z

i have a feeling that it is the CONFIG_GRKERNSEC_PROC restrictions on your system. there is no easy way to check and without being able to reproduce the error it makes it really hard.

asarubbo · 2015-09-16T12:34:13Z

No, I don't guess so. In another system which is present CONFIG_GRKERNSEC_PROC it works.

It does not work just here and the odd thing is that it is a fresh installed system in the same way of the others.

slimm609 · 2015-09-18T05:33:51Z

I would love to troubleshoot some more but have been unsuccessful in recreating the issue. If you can figure out steps to reproduce this I can look into it more.

asarubbo · 2015-10-20T12:36:03Z

To reproduce the problem you should install gentoo using the latest hardened stage3. I was able to reproduce the problem this morning in a virtual machine.

asarubbo · 2015-10-20T13:04:48Z

I finally had the time to investigate into the problem by myself which is:

binhost ~ # LC_ALL="C" sh checksec --proc-all
* System-wide ASLR: PaX ASLR enabled                                                                                                                                                                                                                                           

* Does the CPU support NX: Yes                                                                                                                                                                                                                                                 

         COMMAND    PID RELRO           STACK CANARY      NX/PaX        PIE                     FORTIFY                                                                                                                                                                        
            init      1 Full RELRO      Canary found      PaX enabled   PIE enabled             Yes                                                                                                                                                                            
           acpid   1367 Full RELRO      Canary found      PaX enabled   PIE enabled             Yes                                                                                                                                                                            
            sshd   1550 Full RELRO      Canary found      PaX enabled   PIE enabled             Yes                                                                                                                                                                            
        tlsdated   1570 Full RELRO      Canary found      PaX enabled   PIE enabled             Yes                                                                                                                                                                            
          agetty   1594 Full RELRO      Canary found      PaX enabled   PIE enabled             Yes                                                                                                                                                                            
          agetty   1595 Full RELRO      Canary found      PaX enabled   PIE enabled             Yes                                                                                                                                                                            
          agetty   1596 Full RELRO      Canary found      PaX enabled   PIE enabled             Yes                                                                                                                                                                            
          agetty   1597 Full RELRO      Canary found      PaX enabled   PIE enabled             Yes                                                                                                                                                                            
          agetty   1598 Full RELRO      Canary found      PaX enabled   PIE enabled             Yes                                                                                                                                                                            
          agetty   1599 Full RELRO      Canary found      PaX enabled   PIE enabled             Yes                                                                                                                                                                            
 tlsdated-setter   1607 Full RELRO      Canary found      PaX enabled   PIE enabled             Yes                                                                                                                                                                            
            sshd   1675 Full RELRO      Canary found      PaX enabled   PIE enabled             Yes                                                                                                                                                                            
            bash   1677 Full RELRO      Canary found      PaX enabled   PIE enabled             Yes                                                                                                                                                                            
   systemd-udevd    863 Full RELRO      Canary found      PaX enabled   PIE enabled             Yes

binhost ~ # sh checksec --proc-all                                                                                                                                                                                                                                  
* System-wide ASLR: PaX ASLR enabled                                                                                                                                                                                                                                           

* Does the CPU support NX: Yes                                                                                                                                                                                                                                                 

         COMMAND    PID RELRO           STACK CANARY      NX/PaX        PIE                     FORTIFY                                                                                                                                                                        
            init      1 Permission denied (please run as root)

This happens because of this line:

  if $readelf -s $1/exe 2>/dev/null | grep -q 'Symbol table'; then

binhost ~ # LC_ALL="C" readelf -s /usr/sbin/sshd  | grep "Symbol"
Symbol table '.dynsym' contains 367 entries:

Without LC_ALL="C" you have:

binhost ~ # readelf -s /usr/sbin/sshd  | grep "tab"
La tabella dei simboli ".dynsym" contiene 367 voci:

slimm609 · 2015-10-20T16:56:57Z

please test the latest update and see if it resolves the issue without having to do LC_ALL before the script

asarubbo · 2015-10-30T11:10:03Z

obviously. yes.

asarubbo changed the title ~~Permission denied while running checkses~~ Permission denied while running checksec Sep 13, 2015

slimm609 closed this as completed Oct 30, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Permission denied while running checksec #13

Permission denied while running checksec #13

asarubbo commented Sep 13, 2015

slimm609 commented Sep 13, 2015

asarubbo commented Sep 14, 2015

slimm609 commented Sep 14, 2015

asarubbo commented Sep 14, 2015

slimm609 commented Sep 14, 2015

slimm609 commented Sep 14, 2015

asarubbo commented Sep 14, 2015

slimm609 commented Sep 14, 2015

asarubbo commented Sep 15, 2015

slimm609 commented Sep 15, 2015

asarubbo commented Sep 15, 2015

slimm609 commented Sep 15, 2015

slimm609 commented Sep 15, 2015

asarubbo commented Sep 15, 2015

slimm609 commented Sep 15, 2015

slimm609 commented Sep 15, 2015

asarubbo commented Sep 15, 2015

asarubbo commented Sep 15, 2015

asarubbo commented Sep 15, 2015

slimm609 commented Sep 15, 2015

asarubbo commented Sep 15, 2015

slimm609 commented Sep 15, 2015

asarubbo commented Sep 16, 2015

slimm609 commented Sep 18, 2015

asarubbo commented Oct 20, 2015

asarubbo commented Oct 20, 2015

slimm609 commented Oct 20, 2015

asarubbo commented Oct 30, 2015

Permission denied while running checksec #13

Permission denied while running checksec #13

Comments

asarubbo commented Sep 13, 2015

slimm609 commented Sep 13, 2015

asarubbo commented Sep 14, 2015

slimm609 commented Sep 14, 2015

asarubbo commented Sep 14, 2015

slimm609 commented Sep 14, 2015

slimm609 commented Sep 14, 2015

asarubbo commented Sep 14, 2015

slimm609 commented Sep 14, 2015

asarubbo commented Sep 15, 2015

slimm609 commented Sep 15, 2015

asarubbo commented Sep 15, 2015

slimm609 commented Sep 15, 2015

slimm609 commented Sep 15, 2015

asarubbo commented Sep 15, 2015

slimm609 commented Sep 15, 2015

slimm609 commented Sep 15, 2015

asarubbo commented Sep 15, 2015

asarubbo commented Sep 15, 2015

asarubbo commented Sep 15, 2015

slimm609 commented Sep 15, 2015

asarubbo commented Sep 15, 2015

slimm609 commented Sep 15, 2015

asarubbo commented Sep 16, 2015

slimm609 commented Sep 18, 2015

asarubbo commented Oct 20, 2015

asarubbo commented Oct 20, 2015

slimm609 commented Oct 20, 2015

asarubbo commented Oct 30, 2015