[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Grsecurity and ssh

Arnaud Fontaine wrote:

> Now i would like to use the GNU/Linux kernel with grsecurity patch. I
> have compiled and installed this kernel but when i want to log into the
> system via ssh (the service start also), i have the following error due
> to grsecurity:
> "grsec: denied attempt to double chroot to /[...] by (sshd:14334) UID(0)
> EUID(0), parent (sshd:20587) UID(0) EUID(0)"

The privilege separation code invokes chroot(), too.

Is there a "do not create any new file descriptors" process attribute in
grsecurity?  If there is, OpenSSH should toggle instead of calling
chroot() to an empty directory, which is a poor replacement.

Reply to: