Atomicorp

Security for Everyone
https://forums.atomicorp.com/

DR Web Licence Key Updater not working (Parallels bug)

https://forums.atomicorp.com/viewtopic.php?t=4388

Page 2 of 4

Re: ASL Kernel (grsec) breaks Plesk Licence Key Update

Posted: Thu Sep 30, 2010 1:24 pm
by mikeshinn
What does Parallels say about that error with their product?

Re: ASL Kernel (grsec) breaks Plesk Licence Key Update

Posted: Fri Oct 01, 2010 1:42 am
by webfeatus
http://forum.parallels.com/showthread.php?p=424163

Re: ASL Kernel (grsec) breaks Plesk Licence Key Update

Posted: Fri Oct 01, 2010 12:55 pm
by mikeshinn
Sounds like a Parallels issue then.

Re: ASL Kernel (grsec) breaks Plesk Licence Key Update

Posted: Sun Oct 24, 2010 6:07 am
by webfeatus
This (again) after paying Parallels to investigate.
This time, I paid; last time Server Admin paid.
Same result BOTH times!!!

In /var/log/messages the following appears:

Oct 24 11:46:44 loft2234 kernel: grsec: From 91.204.24.253: denied untrusted exec of /etc/sw/keys/restart/plesk-key-handler by /usr/bin/sw-engine-cgi[sw-engine-cgi:25659] uid/euid:2523/2523 gid/egid:2526/2526, parent /usr/bin/sw-engine-cgi[sw-engine-cgi:25485] uid/euid:2523/2523 gid/egid:2526/2526

Note the grsec and what it prevents from being executed. So the solution for you should be to either disable grsecurity and then try to apply the license or to reconfigure grsec to allow execution of plesk's scripts. The former option is obviously the simpler one, but the choice of course is up to you.

All options at: https://www.atomicorp.com/wiki/index.ph ... pplication have failed - see above (this ticket) and support desk ticket which relates to this issue.

This issue has gone on for 2 months.
Do I REALLY have to make a choice between Dr. Web A/V OR ASL?
TWO MONTHS!!! - what do I do?

Re: ASL Kernel (grsec) breaks Plesk Licence Key Update

Posted: Sun Oct 24, 2010 4:38 pm
by mikeshinn
Since you do not seem to be able to configure their application to run in any kind of secure manner, you'll just need to configure your system to run in an insecure mode. This is very simple to do, and is explained in the article you referenced: https://www.atomicorp.com/wiki/index.ph ... pplication. You just need to disable Trusted Path Execution. Your system will then trust anything thats uploaded and run on it like a regular insecure Linux kernel will.

Option 4: Turn off all TPE protections (not recommended and very insecure)

This option completely disables the TPE system and makes it possible for any user to upload anything and run it on the system. Although ASL does have real time malware detection and protection this system is not 100% foolproof and disabling TPE is extremely insecure and will make it possible for an attacker to upload malicious code to your system that even ASL may not be able to detect and then run it.

To disable TPE you will need to change this proc setting:

/proc/sys/kernel/grsecurity/tpe

To "0"

echo 0 > /proc/sys/kernel/grsecurity/tpe

This also must be done on boot as with option 3.

If you are unsure of how to do any of these custom things on your system please contact us. Our professional services team would be happy to help you configure your custom applications for your system.

And as previously explained, you need to create an init script to do this. One recommended script, if your system is configured to start at run level 3, is to create a script with this name:

/etc/init.d/asl-custom

And add this content:

#!/bin/bash
echo 0 > /proc/sys/kernel/grsecurity/tpe

Set it to be executable

chmod u+x /etc/init.d/asl-custom

And link it on your system (if you start at run level 3)

ln -s /etc/init.d/asl-custom /etc/rc3.d/S98asl-custom

Then reboot. If you still get the untrusted error, you did not setup the script correctly, its not executable or you are not starting at run level 3. If you arent sure what run level you are at, you can check with this command:

grep :initdefault /etc/inittab

You will see a line like this:

id:3:initdefault:

The second variable is the run level, in this case 3. If you see "5" you have your system configured to start the XWindows, and you would need to link the init script according to your run level (in that case 5):

ln -s /etc/init.d/asl-custom /etc/rc5.d/S98asl-custom

Re: ASL Kernel (grsec) breaks Plesk Licence Key Update

Posted: Sun Oct 24, 2010 8:08 pm
by webfeatus
The above steps are difficult, complicated and last time I initiated them - they did not solve the problem.
I offer you the opportunity to access my system and initiate the above, thereby allowing you to assess the efficiency of the solution.

I think I would prefer to uninstall the ASL Kernel.

Uninstalling the kernel should also deal with these warnings, yes?

Oct 25 00:00:04 loft2234 kernel: grsec: denied kernel module auto-load of net-pf-10 by /usr/sbin/httpd[httpd:26479] uid/euid:48/48 gid/egid:48/48, parent /usr/sbin/httpd[httpd:13969] uid/euid:0/0 gid/egid:0/0

Removing GRSEC should solve my Dr. Web License update problem, correct?
How do I uninstall the ASL kernel?

Re: ASL Kernel (grsec) breaks Plesk Licence Key Update

Posted: Mon Oct 25, 2010 3:35 pm
by mikeshinn
The above steps are difficult, complicated and last time I initiated them - they did not solve the problem.
Disabling TPE did not solve your problem? If thats true, then the problem is not with the kernel - you can only get that message if TPE is enabled. So if you got that message you did not disable TPE. As I recall, you previously did not set the execute bit on the init script, so its likely your problem is as simple as that.
I offer you the opportunity to access my system and initiate the above, thereby allowing you to assess the efficiency of the solution.
Please email support@atomicorp.com if you want professional services to send you a quote for this.
I think I would prefer to uninstall the ASL Kernel.
In Linux you should just configure your system to not boot into it the ASL kernel - removing kernels in Linux is dangerous:

https://www.atomicorp.com/wiki/index.ph ... el_to_boot
Uninstalling the kernel should also deal with these warnings, yes?

Oct 25 00:00:04 loft2234 kernel: grsec: denied kernel module auto-load of net-pf-10 by /usr/sbin/httpd[httpd:26479] uid/euid:48/48 gid/egid:48/48, parent /usr/sbin/httpd[httpd:13969] uid/euid:0/0 gid/egid:0/0
This is not an error, this is a protection message. So yes, if you boot into a non-ASL kernel this protection message will go away and your non-ASL kernel will now be vulnerable to kernel level rootkits, so yes, that would get rid of this protection and therefore this message.
Removing GRSEC should solve my Dr. Web License update problem, correct?
No idea. If you disabled TPE and Dr. Web still didnt work, then no - thats a Parallels issue.
How do I uninstall the ASL kernel?
We do not recommend you uninstall Linux kernels unless you know what you are doing - Linux is not really designed to do this its very dangerous. You are better off just telling your system to boot into a different kernel:

https://www.atomicorp.com/wiki/index.ph ... el_to_boot

If you want to uninstall the ASL kernel this procedure is not supported:

rpm -q kernel

And then just pick the kernel(s) you want to remove:

yum remove <packagename>

And then reboot. This procedure is not supported. Don't do it, tell your system to boot into a non-ASL kernel instead.

If you use a non-ASL kernel, ASL will also report several critical vulnerabilities in the non-ASL kernel, those are not false positives. You will be vulnerable to numerous attacks if you use the default Linux kernels.

Re: ASL Kernel (grsec) breaks Plesk Licence Key Update

Posted: Mon Oct 25, 2010 5:32 pm
by webfeatus
I had already implemented option 4. The grsec-related error is no longer. However the license update issue persists. I use ASL on another server (openvz) so I am familiar with the kernel-related warnings. But, again, removing the kernel seems very complicated, if this ends up being the solution. Waiting to see what Parallels say...

Re: ASL Kernel (grsec) breaks Plesk Licence Key Update

Posted: Mon Oct 25, 2010 6:06 pm
by mikeshinn
I had already implemented option 4. The grsec-related error is no longer. However the license update issue persists
So if I understand you correctly, you disabled TPE and you are not getting a grsec message? If so, then ASL is not the source of your difficulties with Dr. Web.

ASL always logs any thing it does, so if its not logging an action its not taking one. If you are not seeing any events being logged when to try run their license manager then the ASL kernel is not involved.
But, again, removing the kernel seems very complicated, if this ends up being the solution. Waiting to see what Parallels say...
Don't remove the kernel (never do that, its dangerous and you can end up making your system unbootable), just set your system to boot into another kernel. The process is pretty simple in Linux. You can even do it when the system boots from the boot manager menu.

Re: ASL Kernel (grsec) breaks Plesk Licence Key Update

Posted: Tue Oct 26, 2010 5:10 am
by webfeatus
Since disabling tpe, I am receiving the following:
The ClamAV update process (freshclam daemon) was not running!
If you no longer wish to run freshclam, deleting the freshclam.log file will suppress this error message.
Is clamav used by asl?
Is the above an issue?

Re: ASL Kernel (grsec) breaks Plesk Licence Key Update

Posted: Tue Oct 26, 2010 10:01 am
by scott
Of course we use clamav, we just dont use the freshclam daemon.

Re: ASL Kernel (grsec) breaks Plesk Licence Key Update

Posted: Tue Oct 26, 2010 10:17 am
by webfeatus
I am trying to work out why logwatch is displaying completely different output since I disabled tpe.

TODAY:

Code: Select all

 ################### Logwatch 7.3 (03/24/06) #################### 
        Processing Initiated: Tue Oct 26 04:02:14 2010
        Date Range Processed: yesterday
                              ( 2010-Oct-25 )
                              Period is day.
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host:   
 ################################################################## 
 
 --------------------- clam-update Begin ------------------------ 

 The ClamAV update process (freshclam daemon) was not running!
 If you no longer wish to run freshclam, deleting the freshclam.log
 file will suppress this error message.
 
 ---------------------- clam-update End ------------------------- 

 
 --------------------- Clamav Begin ------------------------ 

 
 **Unmatched Entries**
 Not loading PUA signatures. 
 Loaded 1761816 signatures. 
 TCP: Bound to address 127.0.0.1 on port 3310 
 TCP: Setting connection queue length to 30 
 LOCAL: Unix socket file /tmp/clamd.socket 
 LOCAL: Setting connection queue length to 30 
 Limits: Global size limit set to 104857600 bytes. 
 Limits: File size limit set to 26214400 bytes. 
 Limits: Recursion level limit set to 16. 
 Limits: Files limit set to 10000. 
 Algorithmic detection enabled. 
 Database correctly reloaded (1761816 signatures) 
 Not loading PUA signatures. 
 Loaded 1761816 signatures. 
 TCP: Bound to address 127.0.0.1 on port 3310 
 TCP: Setting connection queue length to 30 
 LOCAL: Removing stale socket file /tmp/clamd.socket 
 LOCAL: Unix socket file /tmp/clamd.socket 
 LOCAL: Setting connection queue length to 30 
 Limits: Global size limit set to 104857600 bytes. 
 Limits: File size limit set to 26214400 bytes. 
 Limits: Recursion level limit set to 16. 
 Limits: Files limit set to 10000. 
 Algorithmic detection enabled. 
 Database correctly reloaded (1761816 signatures) 
 
 ---------------------- Clamav End -------------------------
YESTERDAY:

Code: Select all

################### Logwatch 7.3 (03/24/06) #################### 
        Processing Initiated: Sun Oct 24 21:02:18 2010
        Date Range Processed: yesterday
                              ( 2010-Oct-23 )
                              Period is day.
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host: 
  ################################################################## 
 
 --------------------- clam-update Begin ------------------------ 

 Last ClamAV update process started at Sat Oct 23 21:14:40 2010
 
 Last Status:
    Using IPv6 aware code
    Querying current.cvd.clamav.net
    TTL: 10
    Software version from DNS: 0.96.3
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.96.2 Recommended version: 0.96.3
    DON'T PANIC! Read http://www.clamav.net/support/faq
    main.cvd version from DNS: 52
    main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven)
    daily.cvd version from DNS: 12172
    daily.cld is up to date (version: 12172, sigs: 142604, f-level: 53, builder: guitar)
    safebrowsing.cvd version from DNS: 24693
    Retrieving http://db.us.clamav.net/safebrowsing-24670.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24670.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24670.cdiff [100%]
    cdiff_apply: Parsed 13359 lines and executed 13235 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24671.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24671.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24671.cdiff [100%]
    cdiff_apply: Parsed 639 lines and executed 639 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24672.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24672.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24672.cdiff [100%]
    cdiff_apply: Parsed 450 lines and executed 450 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24673.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24673.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24673.cdiff [100%]
    cdiff_apply: Parsed 404 lines and executed 404 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24674.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24674.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24674.cdiff [100%]
    cdiff_apply: Parsed 848 lines and executed 848 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24675.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24675.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24675.cdiff [100%]
    cdiff_apply: Parsed 211 lines and executed 211 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24676.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24676.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24676.cdiff [100%]
    cdiff_apply: Parsed 226 lines and executed 226 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24677.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24677.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24677.cdiff [100%]
    cdiff_apply: Parsed 13813 lines and executed 13398 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24678.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24678.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24678.cdiff [100%]
    cdiff_apply: Parsed 334 lines and executed 334 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24679.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24679.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24679.cdiff [100%]
    cdiff_apply: Parsed 324 lines and executed 324 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24680.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24680.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24680.cdiff [100%]
    cdiff_apply: Parsed 298 lines and executed 298 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24681.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24681.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24681.cdiff [100%]
    cdiff_apply: Parsed 455 lines and executed 455 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24682.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24682.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24682.cdiff [100%]
    cdiff_apply: Parsed 296 lines and executed 296 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24683.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24683.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24683.cdiff [100%]
    cdiff_apply: Parsed 2342 lines and executed 2342 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24684.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24684.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24684.cdiff [100%]
    cdiff_apply: Parsed 670 lines and executed 670 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24685.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24685.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24685.cdiff [100%]
    cdiff_apply: Parsed 3402 lines and executed 3390 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24686.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24686.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24686.cdiff [100%]
    cdiff_apply: Parsed 472 lines and executed 472 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24687.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24687.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24687.cdiff [100%]
    cdiff_apply: Parsed 524 lines and executed 524 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24688.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24688.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24688.cdiff [100%]
    cdiff_apply: Parsed 461 lines and executed 461 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24689.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24689.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24689.cdiff [100%]
    cdiff_apply: Parsed 618 lines and executed 618 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24690.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24690.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24690.cdiff [100%]
    cdiff_apply: Parsed 1900 lines and executed 1900 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24691.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24691.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24691.cdiff [100%]
    cdiff_apply: Parsed 374 lines and executed 374 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24692.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24692.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24692.cdiff [100%]
    cdiff_apply: Parsed 308 lines and executed 308 commands
    Retrieving http://db.us.clamav.net/safebrowsing-24693.cdiff
    Trying to download http://db.us.clamav.net/safebrowsing-24693.cdiff (IP: 168.143.19.95)
    Downloading safebrowsing-24693.cdiff [100%]
    cdiff_apply: Parsed 9554 lines and executed 9137 commands
    Properly loaded 895514 signatures from new safebrowsing.cld
    safebrowsing.cld updated (version: 24693, sigs: 895514, f-level: 53, builder: google)
    bytecode.cvd version from DNS: 86
    bytecode.cvd is up to date (version: 86, sigs: 10, f-level: 53, builder: edwin)
    Database updated (1742855 signatures) from db.us.clamav.net (IP: 168.143.19.95)
    Clamd successfully notified about the update.
 
 ---------------------- clam-update End ------------------------- 

 
 --------------------- Clamav Begin ------------------------ 

 
 **Unmatched Entries**
 Database correctly reloaded (1752027 signatures) 
 
 ---------------------- Clamav End -------------------------
Also from today:

Code: Select all

 --------------------- Kernel Begin ------------------------ 

 
 WARNING:  Kernel Errors Present
    Error: Driver 'pcspkr' ...:  2 Time(s)
 
 ---------------------- Kernel End -------------------------

Re: ASL Kernel (grsec) breaks Plesk Licence Key Update

Posted: Tue Oct 26, 2010 10:58 am
by mikeshinn
I think you may be confusing correlation with causation here. Changing a kernel setting change would not change your freshclam configuration. The two are definitely not related. Perhaps you made another change on the system.

Nevertheless, you can ignore this message. Its nothing to concern yourself with. We dont set freshclam to run in daemon mode, switching TPE on or off would not change that. If you want to run freshclam in daemon mode, go ahead, in either case this is a message you can completely ignore. ASL will update clamav for you.

As logwatch is not part of ASL, we can't unfortunately help you with that. If you want it to report something or not you'll need to ask the logwatch folks about their tool if you want help with it. That message is not generated by ASL and logwatch is not supported by us.

Now back to your original issue, as I understand it, you said that Dr. Web wasn't working and are no longer getting any ASL messages about Dr. Web correct? Then I'm not sure why you think ASL is the cause of your Dr. Web issues. Please help me to understand.

Also, as I understand it you are waiting to hear from Parallels about their software. We recommend you discuss this issue with them. We know that ASL customers run Dr. Web without issue, so your problem is unlikely to be with ASL. We know it works. As previously offered, we would be happy to refer this to our professional services group to get this working for you. Please let us know if you would like us to send you a quote.

Re: ASL Kernel (grsec) breaks Plesk Licence Key Update (SOLV

Posted: Fri Oct 29, 2010 12:57 am
by webfeatus
Latest feedback from Parallels support.
Releasing Parallels Plesk Panel scripts from grsec is not enough in this particular case.
I tried to reinstall drweb-daemon package and got the following:

[root@loft2234 ~]# rpm -Uvh --force /root/parallels/PSA_9.2.3/dist-rpm-CentOS-5-x86_64/opt/drweb/drweb-daemon-5.0.1-0plesk.i386.rpm
Preparing... ########################################### [100%]
Shutting down Dr. Web daemon...
1:drweb-daemon ########################################### [100%]
Starting Dr. Web daemon...
Dr.Web (R) daemon for Linux/Plesk Edition v5.0.0 (Jun 4 2009)
Copyright (c) Igor Daniloff, 1992-2009
Doctor Web, Moscow, Russia
Support service: http://support.drweb.com
To purchase: http://buy.drweb.com
mprotect(): 13 (Permission denied)

Please, completely disable grsec or load usual stock kernel instead of art's kernel.
Please,let us know the results of the above solution.

Re: ASL Kernel (grsec) breaks Plesk Licence Key Update (SOLV

Posted: Fri Oct 29, 2010 4:28 pm
by mikeshinn
mprotect(): 13 (Permission denied)
Piece of cake:

https://www.atomicorp.com/wiki/index.ph ... _denied.29
All times are UTC-04:00
Page 2 of 4

Powered by phpBB® Forum Software © phpBB Limited