Hi Gustaf,
You're right. The kernel hardening features are set, including:
xdcpmer@harvesp-agah:~$ sudo dmesg | grep "Execute Disable"
[ 0.000000] NX (Execute Disable) protection: active
This particular one appears to be at the BIOS level instead of sysctl.
And yet apache2 works.
There *should be* some way for this feature to learn about Naviserver,
too. I'm guessing nsd needs to be distributed in the OS via regular
package distribution in order to work with this feature.
I'm talking with GCP about possibility of turning off the feature or
offering an unshielded Ubuntu image. All the internal Ubuntu offerings
are shielded[2]. I am pivoting to FreeBSD in the interim.
Thank you for the link and your time!
NaviServer cheers,
Ben
2. https://cloud.google.com/shielded-vm
On 3/29/20 8:48 PM, Gustaf Neumann wrote:
Dear Ben
Not sure, what is going on these Google Cloud platforms.
With Ubuntu 18.04.4 LTS + Linux 5.3.0, i see no problems.
Maybe, some of the Kernel hardening parameters [1] are set?
-gn
$ uname -a
Linux cigoos 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
$ sudo /usr/local/ns/bin/nsd -f -u nsadmin -g nsadmin -t
/usr/local/ns/conf/nsd-config.tcl
...
[30/Mar/2020:03:25:11][32118.7f376effd700][-driver:nssock:0-] Notice: nssock:0:
listening on [0.0.0.0]:8080
[30/Mar/2020:03:25:11][32118.7f377a268740][-main-] Notice: nsmain:
NaviServer/4.99.19 (tar-4.99.19) running
[1]https://www.kmotoko.com/articles/linux-hardening-kernel-parameters-with-sysctl/
On 30.03.20 00:33, Ben Brink via naviserver-devel wrote:
Hi,
With vTPM and monitoring turned off (and server rebooted), nsd still
doesn't boot due to same error for both ports and either a specific ip
number or 0.0.0.0.
I suspect this is some overzealous latent TPM/monitoring or related
permissions as I had a similar issue earlier this year running VMs in
GNS3 on linux 5.0.0+ which I worked around instead of resolving,
because there seemed to be a bunch of upstream changes in that area of
the kernel that may have fixed the GNS3 issue if I could wait for them
to reach standard Linux releases.
cheers,
Ben
On 3/29/20 3:17 PM, Ben Brink via naviserver-devel wrote:
Hi,
Also, GCP says that vTPM and integrity monitoring options are enabled
by default, but that Secure Boot is not.[1]
1.
https://cloud.google.com/compute/docs/instances/modifying-shielded-vm#modify-shielded-vm-instance
I'm going to turn off vTPM, and see if that's enough to get nsd to bind.
On 3/29/20 2:59 PM, Ben Brink via naviserver-devel wrote:
Hi,
NaviServer fails to bind on start up to port 8000 or 80 and a
specific ip number or as 0.0.0.0.
The errors are identical. See log snip below.
For diagnostic purposes, I tried apache2 on 80. It works with:
# systemctl start apache2
# systemctl start oacs-5-9-1
Job for oacs-5-9-1.service failed because the control process exited
with error code.
See "systemctl status oacs-5-9-1.service" and "journalctl -xe" for
details.
# uname -a Linux harvesp-agah 5.0.0-1033-gcp #34-Ubuntu SMP Tue Mar
3 04:36:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
The first error in the log occurs after startup.
[29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nssock:0:
adding virtual host entry for host <private.biz:80> location:
http://private.biz:80 mapped to server: oacs-5-9-1
[29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Notice:
starting
[29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Notice:
bind operation on sock 15 lead to error: Cannot assign requested
address
[29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-]
Warning: bind on: SockAddr family AF_INET, ip x.x.x.x, port 80
[29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Error:
Ns_SockBinderListen: sendmsg() failed: sent 53 bytes, 'Cannot assign
requested address'
[29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Error:
nssock:0: failed to listen on [x.x.x.x]:80: Cannot assign requested
address
[29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-]
Warning: could no bind any of the following addresses, stopping this
driver: x.x.x.x
[29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nsmain:
NaviServer/4.99.19 (tar-4.99.19) running
[29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nsmain:
security info: uid=1002, euid=1002, gid=1003, egid=1003
[29/Mar/2020:05:50:33][2926.7fad6d353700][-sched-] Notice: sched:
starting
[29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Fatal: nsmain:
can't communicate with parent process, nwrite -1, error: Broken pipe
(parent process was probably killed)
This is on an ubuntu image on GCP:
ubuntu-minimal-1804-bionic-v20200317
Description
Canonical, Ubuntu, 18.04 LTS Minimal, amd64 bionic minimal image
built on 2020-03-17, supports Shielded VM features
I'm guessing it's some kind of vTPM/kernel security issue, since
extra security features were added to the linux kernel at version5.0.0.
Any suggestions on how to get NaviServer to bind / pass the security
challenge?
kind regards,
Ben
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
