# [solved]grsec: "denied untrusted exec" but I am in the group

## toralf

or ?

This is the message :

```
Dec 11 11:27:21 tor-relay kernel: grsec: From 80.171.150.25: denied untrusted exec (due to being in untrusted group and file in non-root-owned directory) of /home/tfoerste/mask by /home/tfoerste/mask[bash:26398] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:26101] uid/euid:1000/1000 gid/egid:1000/1000
```

Here's the group:

```
# zgrep CONFIG_GRKERNSEC_TPE_GID /proc/config.gz 

CONFIG_GRKERNSEC_TPE_GID=100
```

and I do belong to :

```
# id tfoerste

uid=1000(tfoerste) gid=1000(tfoerste) groups=1000(tfoerste),10(wheel),18(audio),100(users),250(portage),16(cron),120(crontab),1002(fate),1003(tinderbox)

```

Update: hhm, b/c teh same works at a hardened system with CONFIG_GRKERNSEC_CONFIG_DESKTOP=y I do assume, it has something to do with CONFIG_GRKERNSEC_CONFIG_SERVER=y and CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=100 ?Last edited by toralf on Thu Dec 11, 2014 4:18 pm; edited 1 time in total

----------

## mv

It may be that TPE is inverted, that is that you are subject to the restricion only if you are a member of GID=100.

I forgot the name of htis kernel option (something with "INVERT" probably).Last edited by mv on Thu Dec 11, 2014 3:22 pm; edited 1 time in total

----------

## toralf

CONFIG_GRKERNSEC_TPE_INVERT - yep, that was it, but if I choosed that, I got much more new trouble at other places than before, ok, so I have to prepend my shell script calls with /bin/sh and it works

----------

