Grsecurity management on untrusted exec and trusted groups
I had all my applications functioning well with a grsecurity/PaX hardened kernel until several days ago when I reset my paxf lags. I restored the pax flags for the binaries but one frequently used application is experiencing problems.
When I launch mplayer I receive the following output in dmesg:
[Thu Jun 26 18:28:16 2014] grsec: denied untrusted exec (due to not being in trusted group and file in non-root-owned directory) of / by /usr/bin/mplayer[mplayer:25106] uid/euid:1000/1000 gid/egid:100/100, parent /usr/bin/bash[sh:25105] uid/euid:1000/1000 gid/egid:100/100
Here are the pax flags for mplayer:
- PaX flags: -p---m-x-e-r [/usr/bin/mplayer]
PAGEEXEC is disabled
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled
RANDMMAP is disabled
Here are the lines of the kernel config pertaining to TPE:
CONFIG_GRKERNSEC_TPE_TRUSTED_GID=9999
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_INVERT=y
CONFIG_GRKERNSEC_TPE_GID=9999
Does this mean I need to add my user to the tpe-trusted group in order to run mplayer? If so, why aren't other programs experiencing the same problem and would adding the user to the tpe-trusted group compromise system security due to privilege escalation? Thanks for the support.
The error is reporting that the permissions on your / directory are not root:root and 755 as they should be.
Similar Messages
-
Management Consolidation-Moving PC and PC Group
Hi,
We want to do Managemet Consoliation based on Profit Centers. Would like to understand how movement of Profit Center and Profit Center Group is handeld in Managemetn Consolidation? These change are purely management requirement and does not affect legal ownership.
Kindly advise.
Best Regards,
URThe biggest challenge is reconciling PCs with LEs.
I agree that this is challenge. But if the management where UR works would be interested in automatic reconciliation they would consider the matrix consolidation - the manual reconciliation would go away.
Otherwise (without a matrix and only PC CU) such consolidation will worth nothing just taking into account how much manual work it will take to really reconcile the data. -
Company: V I Engineering, Inc.
Locations: Various - USA
Salary/Wage: $negotiable
Status: Hourly Contractor
Relevant Work Experience: 5+ years system integration (LabVIEW/TestStand experience required)
Career Level: Intermediate/Experienced
Education Level: Bachelor's Degree
Residency/Citizenship: USA Citizenship or Greencard required
Driving Business Results through Test Engineering
V I Engineering, Inc. has a vision for every client we engage. That vision is to achieve on-time and on-budget program launch more efficiently that the competition. To realize this vision, customers need to achieve predictable test systems development, eliminate waste in test information management, and drive increased leverage of test assets. An underlying requirement for all of these areas is metrics tracking and measurement based decision making.
Job Description
Ready to make a difference? Bring your experiences and skills to the industry leading test organization. Help us to continue to shape the way the world views test. We are seeking a talented Systems Engineer Contractor to be responsible for technical execution of successful projects in the Medical, Military, Transportation, Consumer Electronics and Aerospace Industries. The position will have very high visibility to customers and vendors. This is a very fast paced team with close customer contact and strong career development opportunities. A large part of the position is to identify, own and drive technical design, development and installation of test systems. You will work alongside other like-minded and equally talented engineers, and be creative in a fast-paced and flexible environment that encourages you to think outside the box. You will be available to spend extended periods at our customer sites to complete system installations.
Required
5+ years of Systems Integration experience
3+ years LabVIEW experience
1+ years TestStand experience
Experience in Implementation and Delivery of Test Systems, including integration
Experience in ATE usage and development
Experience in building and Integrating Mechanical Fixtures
Experience in Understanding the design of Circuit Boards as they relate to a total system, and their fault-finding
Experience in Taking Part in Technical Teams throughout All Phases of Project Lifecycle
Experience in Interfacing with Sub-vendors and Customers
Ability to Multitask
Comfortable Working on Various Team Sizes
Excellent Communication Skills
Desired
Requirements generation and review experience
National Instruments Hardware knowledge
Experience with Source Code Control (SCC)
Experience executing verification and validation for projects
Experience generating and/or reviewing cost proposals
RF Technology (DAQ, General RF Theory)
FPGA (with LabVIEW)
Professional software engineering processes and metrics experience
TortoiseSVN
V I Package Manager (VIPM)
Experience with Projects for Regulated Industries
MS Project
Formal Education
Technical degree (BS Engineering, Computer Science, Physics, Math)
National Instruments Courses a plus
National Instruments certification a plus
Notes:
Expected Travel Time is up to 50%.
V I Engineering, Inc. offers a dynamic work environment and the flexibility of a small company.
The Test Software and Integration Group values innovation, out-of-the-box thinking, high-tech toys and a fun / amazingly collaborative working environment. We're a National Instruments Select Integrator, and we're the closest you can get to playing with all the pre-released and new NI toys without joining the NI R&D team - and we get to play with them in the real world.
To apply for this position, email a cover letter and resume to [email protected] with the subject "TSIG Systems Engineer (Contract) employment application".
Copyright © 2004-2015 Christopher G. Relf. Some Rights Reserved. This posting is licensed under a Creative Commons Attribution 2.5 License.Edit
Jeff -
Company: V I Engineering, Inc.
Locations: Positions available in our Farmington Hills, MI Office
Salary/Wage: $negotiable
Status: Full Time, Employee
Relevant Work Experience: 5+ years system integration (LabVIEW/TestStand experience preferred, but not required)
Career Level: Intermediate (Non-Manager)
Education Level: Bachelor's Degree
Residency/Citizenship: USA Citizenship or Greencard required
Driving Business Results through Test Engineering
V I Engineering, Inc. has a vision for every client we engage. That vision is to achieve on-time and on-budget program launch more efficiently that the competition. To realize this vision, customers need to achieve predictable test systems development, eliminate waste in test information management, and drive increased leverage of test assets. An underlying requirement for all of these areas is metrics tracking and measurement based decision making.
Job Description
Ready to make a difference? Bring your experiences and skills to the industry leading test organization. Help us to continue to shape the way the world views test. We are seeking a talented Systems Engineer to be responsible for technical execution of successful projects in the Medical, Military, Transportation, Consumer Electronics and Aerospace Industries. The position will have high visibility to customers and vendors. This is a very fast paced team with close customer contact and strong career development opportunities. A large part of the position is to identify, own and drive technical design and development of test systems. You will work alongside other like-minded and equally talented engineers, and be creative in a fast-paced and flexible environment that encourages you to think outside the box.
Required
5+ years of Systems Integration experience
Experience in Design and Implementation of Test Systems, including integration
Experience in ATE usage and development
Experience in reviewing of Mechanical Fixtures
Experience in understanding the design of Circuit Boards as they relate to a total system
Experience in Taking Part in Technical Teams throughout All Phases of Project Lifecycle
Experience in Interfacing with Sub-vendors and Customers
Ability to Multitask
Comfortable Working on Various Team Sizes
Excellent Communication Skills
Desired
Requirements generation and review experience
National Instruments Hardware knowledge
LabVIEW/TestStand experience
Experience with Source Code Control (SCC)
Experience executing verification and validation for projects
Experience generating and/or reviewing cost proposals
RF Technology (DAQ, General RF Theory)
FPGA (with LabVIEW)
Professional software engineering processes and metrics experience (statement coverage, code size, reuse measurement, etc)
TortoiseSVN
V I Package Manager (VIPM)
UML
Experience with Projects for Regulated Industries
MS Project
Formal Education
Technical degree (BS Engineering, Computer Science, Physics, Math)
National Instruments Courses a plus
National Instruments certification a plus
Notes:
Expected Travel Time is up to 25%Re
location assistance is possible.
V I Engineering, Inc. offers incredible opportunities to grow and advance your career, a dynamic work environment and the flexibility of a small company.
The Test Software and Integration Group values innovation, out-of-the-box thinking, high-tech toys and a fun / amazingly collaborative working environment. We're a National Instruments Select Integrator, and we're the closest you can get to playing with all the pre-released and new NI toys without joining the NI R&D team - and we get to play with them in the real world.
To apply for this position, email a cover letter and resume to [email protected] with the subject "TSIG Systems Engineer employment application".
Copyright © 2004-2015 Christopher G. Relf. Some Rights Reserved. This posting is licensed under a Creative Commons Attribution 2.5 License.Edit
Jeff -
Cisco Prime 4.2, Inventory group management and reports group
Hi
I have created some groups under Inventory > Group Management > Device. This works fine.
Then I want to create a monthly report for Reports > Performance > Device > Availability. Here I guessed I would find my groups created under inventory.
But I can se the groups, one group is duplicated, but all groups are empty. Under all devices, I can only see 6 og th devices but it should have been 122. Under the different subnet groups, there's no devices.
Should'nt I've seen the groups created under inventory when I want to make a report? Under the device list for quick report.
Br
GeirHm.... strange I've been looking around under Report, and looked at Inventory and Performance reports.
Inventory > Detailed Device shows all the devices and my groups.
Performance > Device > Availability show just 6 out of my 122 devices.
Under Inventory > Group Managment > Device I have a group called Datasenter.
Under Performance > Device > Availability I can see 2 of these groups, but their both empty.
When i delete this group, one of them dissapeer from Under performance. WHen I create it again, it comes back but empty.
Something must be corrupt.
Geir -
My Active Directory environment is 2003 functional level and we have Exchange 2010.
I am trying to find out the best way to do a mass edit for the "Managed by" values of our security and distribution groups.
I know we can export the "managed by" field by csvde but I am not sure this is the correct way to do it. Also in the case that there are multiple users assigned to be managing a distribution group it only shows one value. Also powershell from Exchange
2010 can be used with "get-distribution" but as our AD environment is 2003 is this correct also?
Finally once the data is exported to csv can it be edited to then reimport and udpate the existing group managed by fields with new values?
Not really sure that the best way to go about this is.
Summary - We have 2003 AD with Exchange 2010 and I am trying to export a list of all our Distribution/Security groups showing the group name and managedby values so we can edit and update the
existing managedby values with new ones. In some cases we have multiple users as the owners.
Appreciate any advice on how this can be best achieved. Thank you.Hi,
We can use the following command in Exchange 2010 to export "Managed by" field of Distribution and Security groups:
Get-DistributionGroup | Select-object Name,@{label="ManagedBy";expression={[string]::join(“;”,$_.managedby)}},Primarysmtpaddress | Export-Csv
C:\export.csv
After you changed the Managed by field in export.csv and saved it as a new file named import.csv, we can run the following command to set with new value:
Import-Csv C:\import.csv | Foreach-Object{ Set-DistributionGroup –Identity $_.Name –ManagedBy $_.ManagedBy}
Hope it works.
Thanks,
Winnie Liang
TechNet Community Support -
My Active Directory environment is 2003 functional level and we have Exchange 2010.
I am trying to find out the best way to do a mass edit for the "Managed by" values of our security and distribution groups.
I know we can export the "managed by" field by csvde but I am not sure this is the correct way to do it. Also in the case that there are multiple users assigned to be managing a distribution group it only shows one value. Also powershell from Exchange
2010 can be used with "get-distribution" but as our AD envronment is 2003 is this correct also?
Finally once the data is exported to csv can it be edited to then reimport and udpate the existing group managed by fields with new values?
Not really sure that the best way to go about this is.
Summary - We have 2003 AD with Exchange 2010 and I am trying to export a list of all our Distribution/Security groups showing the group name and managedby values so we can edit and update the
existing managedby values with new ones.
Appreciate any advice on how this can be best achieved. Thank you.Hi Barkley,
You can also refer to Official Scripting Guys forum to get a script solution:
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG&filter=alltypes&sort=lastpostdesc
Best Regards,
Amy Wang -
Adding sites to compatibility mode and trusted sites, IE10 and Server 2008
We're having a challenge with configuring a GPO to add several sites to Compatibility View Settings as well as adding several others (the same sites, plus some others) to Trusted Sites. We are currently running VMware's Persona Management/floating
pools (thin provisioned linked clones), with the appdata folder redirected to the Persona server. Clients are running IE10, DCs are running Server 2008 R2 with IE8.
gpresult/r shows the GPO listed under Applied GPOs on the User Settings side (and all the settings are user settings); however, compatibility and trusted sites settings do not apply.
From prior research on the topic, I seem to recall that I needed to install the IE10 IEAK; however, I cannot install that without having IE10 installed first, and I cannot install IE10 without installing the pre-requisite elements, which I cannot install
(either through Windows Update or the IE10 standalone installer). When the IE10 install fails, it refers me to a Microsoft KB article that won't open. If I open the article on a workstation PC, I find links to five separate prerequisite files.
If I download all five files and attempt to install them, they say they're not applicable to my computer. I can't post links in this article yet (account hasn't been verified), but a Google search for "MS KB 2818833" leads to the page with
the links.
64-bit Server 2008 R2.
Any thoughts?Hi,
Before going further, how did we configure the settings? Since Windows 8, the IEM settings have been deprecated. As a result, IEM settings won't apply to IE10 or above. However, in this situation, we should be able to use administrative templates
to configure the settings we want.
Regarding how to add web site to Compatibility View List via GPO, the following article can be referred to as reference.
How to add web site to Compatibility View List via GPO
http://blogs.msdn.com/b/asiatech/archive/2013/10/23/how-to-add-web-site-to-compatibility-view-list-via-gpo.aspx
Regarding how to Internet Explorer security zone sites via native policies, the following article can be referred to for more information.
How to configure Internet Explorer security zone sites using group polices
http://blogs.msdn.com/b/askie/archive/2012/06/05/how-to-configure-internet-explorer-security-zone-sites-using-group-polices.aspx
Best regards,
Frank Shen -
Sales Office and Sales Group Automatic Determination based on the Sold to P
Hello every one
We need determine sales office and sales group based on sold to party master data in Activity Management in SAP CRM 2007.
I want to know if there is a way to do it when we save the document.
Any ideas???hi, the sales org, office, group determination can be configure in Organization Determination.
You can choose Org Determine rule for your CRM document.
And if you feel the rule can't match your requirement, you can create a new rule, and create customize function module for the rule, you can add your determine logic in the function module to realize your requirement. -
Creation of new employee groups and sub groups
Hi All,
What all the steps should I follow to create new employee groups and sub groups? and How many structures should I create for this?
Its urgent pls.......
Good replies will be rewarded!!!!
Regards,
SitaHi
You can create the employee groups depending up on your clients requirement, Eg: Permanent, Temporary, Seasonal, Trainee, Advisor etc
And define the employee subgroups and assign them to the employee groups Like
Enterprise structure>Definition>Human Resource Management-->Employee Groups & Employee Groups
Enterprise structure>Assignment>Human Resource Management-->Assign employee subgroup to employee group
you can create employee subgroups depending up on your requirement like asst manager, manager, GM, MD, VP ETC an assign them to the employee subgroups ok.
Ensure that certain empployee subgroups may not be assigned to employee group based on requiremen, but create all the employee sub groups which is existing in the organization.
Regards -
Free license and isolation groups
Hello,
We have just installed CPS in our Solution Manager 7.1. The CPS release is Build: M28.17-35130.
The license keys - free - are:
CPS-Basic ProcessServerService.SAP.ApplicationsAPI true
CPS-Basic ProcessServerService.SAP.SolutionManager true
CPS-Basic ProcessServerService.SAP.XBPExternal true
CPS-Basic ProcessServerService.SAP.limit 0
CPS-Basic System.NamedUsers.limit 10
CPS-Basic System.Production true
CPS-Basic company.contract CPS-Basic
CPS-Basic company.name xxxxxxxxxxxxxxx
CPS-Basic product.name SAP Central Process Scheduling by Redwood
CPS-Basic signature 3
CPS-Basic system.id SAP:SOL_00
I have read in the Administratio guide and in other posts that in the free license i cannot define more that one sap system client per isolation group, but I have the doubt of how can I monitor more than one sap system or even more that one client in the same sap system?
Thanks and best regards,
Ana.Hello Ana,
you can monitor SAP CPS jobs across Isolation Groups from your SAP Solution Manager. That's a special feature of the SAP CPS integration into SAP Solution Manager.
Just import your (Solution Manager) user into all relevant isolation groups (same user name in SolMan and SAP CPS) and then run job filters or custom queries from the Job Management Work Center.
See the second part of my blog /people/martin.lauer/blog/2009/05/28/monitoring-job-chains-with-sap-cps-by-redwood-and-sap-solution-manager for more information how to call CPS filter and customer queries from the Job Management Work Center.
As a prerequisite you will have to setup the connectivity between SAP CPS and SolMan. See the following notes: 1122497, 1054005, 1129030, 1037903.
If you have any issues in setting up this scenario, please do not hesitate to contact me.
Kind regards,
Martin -
Hi,
I was reading about buffer busy waits (based on oracle 10g), and i came across two terms i was unfamiliar about... freelist and freelist groups . Can somebody explain the meaning of these two terms and how it is related to objects ?? I am more interested in single instance database and not about RAC..
Is this relevant to current version of oracle database(11g) as well???
Thanks in advance.Freelist is a part of the object and are maintained to define the candidate blocks which are available for the DMLs. The parameters PCTUSED, PCTFREE are going to be making the blocks go in and out of the freelist. Its a linked list whose starting point is the segment header block and that's what is the cause of the issue is what you have mentioned, buffer busy wait. Buffer busy wait is just a cummulative wait event and does have many of the reasons. What is going to be caused by the freelist is going to be the buffer busy wait for the segment header. Since the segment header is going to be pinned each and every time the scan for the free list is requested, its going to come under contention under a very heavy OLTP enviroment. That's why Oracle introduced, in 9i, ASSM which is Automatic Segment Space Management, a more optimized, bitmap based functionality , which removes the use of freelist altogether* . So even in 11g, the concept remains if you want to make the segment space management manual.
I would not suggest you to read that link which you have quoted but would suggest to read this MOS note,
MOS doc id 157250.1, "Freelist Management with Oracle 8i" by Stephan Haisley .
I don't think freelist are explained anywhere better than what is there in the above document. Please note, you need to have valid CSI to login to MOS.
HTH
Aman....
* ASSM is not really a very nice thing actually but that is another topic to discuss so let's leave it for the moment. -
Grant access to help desk users to add members to distribution and security groups
Hello,
I am trying to create a set of help desk users that has full access to add or remove members from distribution and security groups as well as update users. We want it to bypass owner approval and essentially allow this group to add or remove members
in the FIM Portal and flow it down to ADS.
This obviously works fine if one is a member of the Administrators set, but we want a second tier of power users with limitied rights compared to FIM Admins. We have added the help desk team to the Security Group Users and Group Users set as
well as MPR "Security group management: Users can read selected attributes of group resources".
The help desk users can update users in the Portal with no issue. The can search groups with no issue but when they try to add members to a group they get the error "Access Denied".
Any help is greatly appreciated.
Thanks!I'm having very similar problem - I have users with delegated right to modify group membership only. User can add someone to group and it works fine, but when the same user is trying to remove and user from a group (even if this is the same user
which was added a minute ago) he gets Access Denied:
The
request included members which the requestor is not authorized
to add and/or remove from this group."
It is caused by default MPR:
Group management workflow: Validate requestor on remove member
Question is how this activity validates this request - any insight? -
StoreFront : Payment and Shipping group relationships are missing for some orders
Hi Team,
In our application, we are able to see relationship between payment and shipping group for some orders. But we are not able to find these relationships for some orders.
We are verifying in "dcspp_payship_rel" table. We are wondering why this behavior is happening for some orders.
Could you please suggest to move further ?
Regards,
Babji...Hello.
First of all you must ensure that you are properly using transactions when you create/update the orders.
There are best practices to update the orders in ATG that must be followed to avoid loss of information.
Like this steps below:
Acquire a write lock using the ATG lock manager.
Start the transaction.
Synchronized on the Order object.
Update the Order.
End the synchronization.
End the transaction.
Release the lock.
Here are some links that should help you understand the steps to be followed to make a correct update of an order:
https://atgoasis.wordpress.com/2014/08/28/best-practices-for-updating-an-order-in-atg-commerce-applications/
http://www.digitalsanctuary.com/tech-blog/java/atg/design-pattern-for-updating-an-atg-order.html
http://sumangalavijay.blogspot.com.br/2011/10/atg-update-order.html
Oracle ATG Web Commerce - Managing Transactions in Oracle ATG Web Commerce
Hope it helps you! =) -
Primary Group and Additional Group in Solaris 10
hi!
We've just freshly installed a Solaris 10 system. I'm very new in Solaris. There's something i noticed, and i'm not sure whether is that normal.
In the user screen in solaris management console, i notice that i'm not able to see the Primary group and additonal group list. What i can see is only the Primary group in ID format. I'm able to see it only the first time when i launch the Solaris management console or switch from one workplace to another. After right clicking on the user properties for the second time, it disappear and show only the primary group id in integer. On the left hand side of the screen, it says "The group cannot be listed. You can change the primary group 10 to another valid integer. Because of error or oversight, group membership cannot be found. You can enter a number for the primary group, but cannot choose from a list of groupnames. Also you cannot choose Seconday Group until the group info is available". "Check group files, NIS maps, or load for possible corruption. If you have not already populated appropiate files or maps, See administrator guide, Naming and Directory Services(DNS, NIS, LDAP) or docs.sun.com for LDAP see also Solaris Management console help, about the toolbox editor to manage LDAP"
Is that normal? What could be wrong here? Please advise. Thanks.hi! Anyone can provide advise on the issue i encountered?
Maybe you are looking for
-
Netware 6.5 sp8 server abending on WSPIPX.NLM
On one of our Netware 6.5 SP8 servers, the server is starting to abend with the message "The CPU encountered a problem executing code in WSPIPX.NLM." The server was rock solid, rarely had an issue. I just noticed it abended today. I then looked at th
-
Replacement hard drive not shown in Disk Utility
So I just finished installing a replacement hard drive for my PB 12". I got a Seagate 2.5" ATA Momentus 5400 etc as per my previous thread. But after firing it up from the install disk, the new volume fails to show up. Anyone else had this problem? A
-
How can I save visited internet pages in cache for off-line reading?
Hi, is there any way to save visited internet pages in cache for off-line reading until I delete them manually or cache is filled completely? Thanks, Wilfried
-
Swing setRolloverIcon/setWhateverIcon not working
I've got a test program here to see if various Icon states actually work in Swing. Under windows, the only icon state that seems to work is setIcon()... Anyone know what I am doing wrong? Here is the code: package unittest; import java.awt.event.Wind
-
Hi All, Cisco changed the way that Network Reports are done. No longer is the actual report Emailed. No Longer can you checked previous Email Reports. You can only check the current information. If you like Network Magic and are unhappy about the cur