-
Notifications
You must be signed in to change notification settings - Fork 299
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permission denied while running checksec #13
Comments
what distro are you running? |
Gentoo. |
can you do a update and try again. (either git pull or ./checksec --update) |
same result. |
whats the output of "id"? |
please run "./checksec --update" then |
|
are you running the grsecurity kernel with a policy enabled? On Mon, Sep 14, 2015 at 6:34 PM, Agostino Sarubbo notifications@github.com
|
The first test was without grsecurity. The last test was with grsecurity. |
can you please try again. I added some additional debug stuff. I have tried to set up a gentoo box and recreate it but on the gentoo test box it still runs without error. |
|
lets try something else to see if permission is denied by init or by readelf. try a ./checksec --proc sshd and see if that gives the permission denied error |
please put the output of both of these and make sure you can see stuff in /proc readelf -l "/proc/$(ps -Ao pid,comm | grep ssh | cut -b1-6 | head -1| tr -d '[[:space:]]')/exe" readelf -l "/proc/$(ps -Ao pid,comm | grep init | cut -b1-6 | head -1| tr -d '[[:space:]]')/exe" also the output of ./checksec --kernel |
on --proc sshd, I get permission denied as well.
|
also the output of ./checksec --kernel |
readelf can read the proccesses just fine. Thats really odd, cause thats exactly what the script is doing at the point where it is throwing permission denied. Is this a physical or virtual machine? |
I need to investigate why gcc stack protection is reported as disabled because is enabled by default:
|
that's a phisical machine. |
If it can help, after comment the exit 1 after the message permission denied I get:
And for example it works in that way:
So in both cases the file are not recognized as ELF. |
update and run ./checksec -d --kernel I believe its a kernel setting but i just want to confirm |
|
i have a feeling that it is the CONFIG_GRKERNSEC_PROC restrictions on your system. there is no easy way to check and without being able to reproduce the error it makes it really hard. |
No, I don't guess so. In another system which is present CONFIG_GRKERNSEC_PROC it works. It does not work just here and the odd thing is that it is a fresh installed system in the same way of the others. |
I would love to troubleshoot some more but have been unsuccessful in recreating the issue. If you can figure out steps to reproduce this I can look into it more. |
To reproduce the problem you should install gentoo using the latest hardened stage3. I was able to reproduce the problem this morning in a virtual machine. |
I finally had the time to investigate into the problem by myself which is:
This happens because of this line:
Without LC_ALL="C" you have:
|
please test the latest update and see if it resolves the issue without having to do LC_ALL before the script |
obviously. yes. |
The text was updated successfully, but these errors were encountered: