Resolving grsec + grub update problems – How to for Debian Squeeze

This is just a short post on how to prevent update-grub2 from being killed when using a grsec kernel.

If you are like me and insist on using a grsec enabled kernel (with high security mode enabled) for your servers, here is what you might see when running update-grub2

root@host:/usr/src# update-grub2
Killed


Examining /var/log/syslog we see this:

May 7 14:10:10 host kernel: [ 926.192544] PAX: bytes at SP-4: b45d9134 0804a43b 0c0996c0 00000010 00000018 00000002 08075320 b45d8eac b45d8e88 0804dcb4 b45d8eac 00000000 00000000 000007f8 b45d8ec0 00000000 b45d8ec8 0804d9d8 b45d8eac 00000000 00000000
May 7 14:10:10 host kernel: [ 926.194445] grsec: From xxx.xxx.xxx.xxx: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/sbin/grub-probe[grub-probe:1307] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/grub-mkconfig[grub-mkconfig:1283] uid/euid:0/0 gid/egid:0/0

The grub-probe program is being killed by grsec.

To resolve this, install paxctl. Run:

aptitude install paxctl

Ensure that it is installed: Run:

root@host:/usr/src# whereis paxctl

The output should be similar to:

paxctl: /sbin/paxctl /usr/share/man/man1/paxctl.1.gz

Next, run the paxctl program on the following files. paxctl allows the Pax flags to be modified on a per binary basis.

Run:

paxctl -Cpemrxs /usr/sbin/grub-probe
paxctl -Cpemrxs /usr/sbin/grub-mkdevicemap
paxctl -Cpemrxs /usr/sbin/grub-setup

The output will be similar to:

root@host:/usr/src# paxctl -Cpemrxs /usr/sbin/grub-probe
file /usr/sbin/grub-probe got a new PT_PAX_FLAGS program header
root@host:/usr/src# paxctl -Cpemrxs /usr/sbin/grub-mkdevicemap
file /usr/sbin/grub-mkdevicemap got a new PT_PAX_FLAGS program header
root@host:/usr/src# paxctl -Cpemrxs /usr/sbin/grub-setup
file /usr/sbin/grub-setup got a new PT_PAX_FLAGS program header

The commands above remove PaX protection for the three files.

Now run update-grub2 again:

root@host:/usr/src# update-grub2
Generating grub.cfg …
Found linux image: /boot/vmlinuz-3.2.16-grsec-michael-david-debian6-i386-guest-grsec
Found initrd image: /boot/initrd.img-3.2.16-grsec-michael-david-debian6-i386-guest-grsec
Found linux image: /boot/vmlinuz-2.6.32-5-686
Found initrd image: /boot/initrd.img-2.6.32-5-686

Voila! Problem solved.

–Written by Michael R. M. David

VN:F [1.9.22_1171]
Rating: 8.0/10 (4 votes cast)
Resolving grsec + grub update problems - How to for Debian Squeeze, 8.0 out of 10 based on 4 ratings
Download article as PDF
admin

Written by

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>