Plesk 10.4.4 update brings grsec errors

chrismcb · **Posted:** Fri Nov 25, 2011 1:28 pm

Just upgraded to Plesk 10.4.4 and am getting the following errors in /var/log/messages

Code:

denied untrusted exec of /usr/sbin/postalias by /usr/local/psa/handlers/hooks/check-quota[check-quota:19261] uid/euid:89/110 gid/egid:89/89, parent /usr/local/psa/handlers/hooks/check-quota[check-quota:19260] uid/euid:89/110 gid/egid:89/89

I know about the wiki article on this, but not sure what to do with this (i'm guessing) new feature of Plesk?

FYI, UID 89 is postfix.

Thanks

mikeshinn · **Posted:** Fri Nov 25, 2011 5:09 pm

Check the ownership of /usr/sbin and /usr, I bet its not root.root.

Some programs may change the permissions from root.root, which you do not want under any circumstances. That would make it possible for that user/groups to change/add/delete/modify/install anything they want, including backdoored/malicious core system binaries.

chrismcb · **Posted:** Sat Nov 26, 2011 6:58 am

That was exactly it - the Plesk upgrade seemed to change the permissions of /usr/sbin/ from root:root to hspc:hspc.

Don't know who this user is, but it is Plesk-related.

Changing it back to root:root fixed everything.

breun · **Posted:** Sat Nov 26, 2011 7:21 am

A default Plesk 10 installation doesn't have a 'hspc' user AFAIK. Sounds like 'HSPcomplete' is in the mix maybe?

kram · **Posted:** Fri Dec 16, 2011 4:13 pm

I just had the same problem after installing ASL on a new Server with Plesk 10.4.4 #6

Both /usr/sbin + /usr/share are owned by hspc:hspc

drwxr-xr-x 2 hspc hspc 12288 Dec 16 21:27 sbin
drwxr-xr-x 114 hspc hspc 4096 Dec 16 14:48 share

in /usr/share the folowing folders are hspc:hspc

drwxr-xr-x 3 hspc hspc 4096 Dec 10 23:27 hspc-config
drwxr-xr-x 2 hspc hspc 4096 Dec 10 23:27 hspc-plugin-pp-op-atos
drwxr-xr-x 63 hspc hspc 4096 Dec 11 00:34 perl5
drwxr-xr-x 2 hspc hspc 4096 Dec 10 23:27 plugin-pp-bt-dtaus

mikeshinn · **Posted:** Fri Dec 16, 2011 6:49 pm

ASL didn't change those permissions, something else did that to your system (Plesk maybe?). /usr/bin should always be owned by root.root and ASL is protecting you from a dangerously insecure condition. Just run this command to fix your systems permissions back to what the OS vendor built:

chown root:root /usr/sbin

Why any application would change that is a mystery, but its not ASL that much is for sure. Making the core binaries modifiable by a non-root user is just cybersuicide. I'd look into what vendors product did that and file a bug report with them.

kram · **Posted:** Fri Dec 16, 2011 7:09 pm

@mikeshinn, it certainly seems that PLESK made those changes.
I installed a VPS server aswell to test 10.4.4
That server has the same UID:GID (hspc:hspc)

Only after I installed ASL on the live server did I become aware of the grsec errors.

Thanks again to ASL for keeping me safe

mikeshinn · **Posted:** Fri Dec 16, 2011 7:35 pm

I believe you are right that its Plesk, a few other folks have reported the same thing. I do recommend you report it as a bug to them. Theres really no need for them to change those permissions.

kram · **Posted:** Mon Dec 19, 2011 6:03 pm

@mikeshinn --

should the following folders also be owned by root?

in /usr/share the folowing folders are hspc:hspc

drwxr-xr-x 3 hspc hspc 4096 Dec 10 23:27 hspc-config
drwxr-xr-x 2 hspc hspc 4096 Dec 10 23:27 hspc-plugin-pp-op-atos
drwxr-xr-x 63 hspc hspc 4096 Dec 11 00:34 perl5
drwxr-xr-x 2 hspc hspc 4096 Dec 10 23:27 plugin-pp-bt-dtaus

Plesk 10.4.4 update brings grsec errors

Who is online