Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
grsec denied RWX - plex
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
plice
Tux's lil' helper
Tux's lil' helper


Joined: 09 Nov 2009
Posts: 84
Location: Poland

PostPosted: Tue Mar 25, 2014 6:25 am    Post subject: grsec denied RWX - plex Reply with quote

Hi,

I've installed plex from overlay and tried to run it, but it crashes:
[1010112.246172] grsec: From xx.xxx.xx: denied RWX mprotect of <anonymous mapping> by /usr/lib/plexmediaserver/Plex Media Server[Plex Media Serv:5990] uid/euid:110/110 gid/egid:103/103, parent /usr/sbin/start_pms[start_pms:5989] uid/euid:110/110 gid/egid:103/103


How do I fix it?

Thank you.
Back to top
View user's profile Send private message
Tractor Girl
Apprentice
Apprentice


Joined: 16 May 2013
Posts: 159

PostPosted: Tue Mar 25, 2014 11:39 am    Post subject: Reply with quote

Try to disable mprotect for the binary that causes the problem:
Code:
paxctl-ng -m /usr/bin/some_binary

This decreases protection, but with some poorly writen programs there's no other choice.
Back to top
View user's profile Send private message
SirRobin2318
Apprentice
Apprentice


Joined: 24 Apr 2004
Posts: 241
Location: Strasbourg, france.

PostPosted: Tue Mar 25, 2014 12:18 pm    Post subject: Reply with quote

I haven't used grsec in a looong while, so I'm genuinely asking the question: did you run gradm in learn mode and run plex?
I know gradm will generate the rbac rules for file access, curious to know if it would also detect that the program needs a stack with write & execute.
Back to top
View user's profile Send private message
plice
Tux's lil' helper
Tux's lil' helper


Joined: 09 Nov 2009
Posts: 84
Location: Poland

PostPosted: Wed Mar 26, 2014 1:51 pm    Post subject: Reply with quote

Hi,

yes, i've tried -m option and i did the 'learning' process. Still got issues. I think it's actually plex and not the pax :/
edit:
looks like plex doesn't have headers " If you run grsecurity you're going to need to create new headers and except them otherwise you'll run into all sorts of library update issues." few ppl managed to get around it.

Any help would be useful

thank you :)


Last edited by plice on Wed Mar 26, 2014 2:10 pm; edited 1 time in total
Back to top
View user's profile Send private message
SirRobin2318
Apprentice
Apprentice


Joined: 24 Apr 2004
Posts: 241
Location: Strasbourg, france.

PostPosted: Wed Mar 26, 2014 2:01 pm    Post subject: Reply with quote

You could try to build a kernel without grsec to see if plex is the sole issue.
Back to top
View user's profile Send private message
plice
Tux's lil' helper
Tux's lil' helper


Joined: 09 Nov 2009
Posts: 84
Location: Poland

PostPosted: Wed Mar 26, 2014 2:28 pm    Post subject: Reply with quote

got it.
It doesn't have headers, BUT paxctl -c /bin/path will create them :D
then paxctl -m /bin/path

I had to do for all of the following files (maybe it will help somebody else):
in /usr/lib/plexmediaserver
Plex DLNA Server
Plex Media Scanner
Plex Media Server

and
/usr/lib/plexmediaserver/Resources
Plex New Transcoder
Plex Transcoder


Plex Installed versions: 0.9.9.7^m is up and running (well at least it the process starts up and the webui works, dunno if it all will work)

thnx guys

Edit:
had to do /usr/lib/plexmediaserver/Resources/Python/bin/python as well, otherwise it won't set libraries.

I've tested the server with a TV ... works like charm :D
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14071

PostPosted: Thu Mar 27, 2014 1:39 am    Post subject: Reply with quote

As Tractor Girl noted, this is a possibly intentional defect in Plex. Running a process with RWX mappings is never a good idea for security, so if possible, this should be changed not to require a RWX mapping.
Back to top
View user's profile Send private message
Tractor Girl
Apprentice
Apprentice


Joined: 16 May 2013
Posts: 159

PostPosted: Thu Mar 27, 2014 2:26 am    Post subject: Reply with quote

Paxctl edits the ELF directly so theoretically it can break a binary, using paxctl-ng is safer.
PaX_flag_migration_from_PT_PAX_to_XATTR_PAX
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum