Letsencrypt and asl

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Letsencrypt and asl

Unread post by biggles »

Trying out letsencrypt. The letencrypt binaries seems to trigger "Denied a RWX mmap event." the same thing running it from a command line installation.

Code: Select all

serverXX kernel: grsec: From xxx.yyy.zzz.xxx: denied RWX mmap of <anonymous mapping> by /usr/local/psa/var/modules/letsencrypt/venv.SCBBK/bin/letsencrypt[letsencrypt:22626] uid/euid:501/501 gid/egid:0/0, parent /usr/bin/sw-engine[sw-engine:22620] uid/euid:501/501 gid/egid:0/0
Anyone found a way around it? Tried the execstack -c command without success.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Letsencrypt and asl

Unread post by mikeshinn »

If removing execstack flag still gives you this alert when the application runs, then that means the applications needs to punch that hole in your system to run. This allert means that app is trying to create a writeable and executable memory mapping, which makes it possible for a bad guy to inject new executable code into the task's address space. Its pretty rare to see anything try do that any more, and extremely rate for anything to actually need to do that. But if this vendor cant write it in a more secure manner you'll have to let it do that. It doesnt make much sense to me why it would need to do that given what this app does. See solution 3 in this article if you trust the application has no vulnerabilities and want to let them do that (again this opens a hole in your system, so doing this shouldnt be done lightly and let them know this is a concern you have):

https://www.atomicorp.com/wiki/index.ph ... olutions_2
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: Letsencrypt and asl

Unread post by biggles »

One of the problem is that I really don't understand which application should be granted execstack.

/usr/local/psa/var/modules/letsencrypt/venv.SCBBK/bin/letsencrypt is not an ELF.
Post Reply