Arch Linux

Divinorum

Member

Registered: 2011-08-16

Posts: 44

Grsecurity management on untrusted exec and trusted groups

I had all my applications functioning well with a grsecurity/PaX hardened kernel until several days ago when I reset my paxf lags. I restored the pax flags for the binaries but one frequently used application is experiencing problems.

When I launch mplayer I receive the following output in dmesg:

[Thu Jun 26 18:28:16 2014] grsec: denied untrusted exec (due to not being in trusted group and file in non-root-owned directory) of / by /usr/bin/mplayer[mplayer:25106] uid/euid:1000/1000 gid/egid:100/100, parent /usr/bin/bash[sh:25105] uid/euid:1000/1000 gid/egid:100/100

Here are the pax flags for mplayer:

- PaX flags: -p---m-x-e-r [/usr/bin/mplayer]
	PAGEEXEC is disabled
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is disabled
	RANDMMAP is disabled

Here are the lines of the kernel config pertaining to TPE:

CONFIG_GRKERNSEC_TPE_TRUSTED_GID=9999
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_INVERT=y
CONFIG_GRKERNSEC_TPE_GID=9999

Does this mean I need to add my user to the tpe-trusted group in order to run mplayer? If so, why aren't other programs experiencing the same problem and would adding the user to the tpe-trusted group compromise system security due to privilege escalation? Thanks for the support.

fungle

Member

Registered: 2014-05-01

Posts: 81

Re: Grsecurity management on untrusted exec and trusted groups

Did you change the ownership of /usr/bin/

Divinorum

Member

Registered: 2011-08-16

Posts: 44

Re: Grsecurity management on untrusted exec and trusted groups

No the ownership belongs to root.

thestinger

Package Maintainer (PM)

From: Toronto, Canada

Registered: 2010-01-23

Posts: 478

Re: Grsecurity management on untrusted exec and trusted groups

The error is reporting that the permissions on your / directory are not root:root and 755 as they should be.