# grsec: denied untrusted exec of ...

## shimon

hello,

I just migrated to kernel-2.6, I used hardened sources and grsecurity (this is my first time with both). Now I'm having problems with my system. I can't run scripts saved in my /home partion. It says:

```

grsec: denied untrusted exec of /home/***/scripts/my_script.sh by /bin/bash[bash:9402] uid/euid:502/502 gid/egid:100/100, parent /bin/bash[bash:16337] uid/euid:502/502 gid/egid:100/100

-su: /home/***/scripts/my_script.sh: /bin/bash: bad interpreter: Permission denied

```

and it's happening not only with /home resident scripts, it also happens with /usr, mailman can't use certain codecs:

```

grsec: denied untrusted exec of /usr/local/mailman/pythonlib/japanese/c/_japanese_codecs.so by /usr/bin/python2.2[python:15853] uid/euid:280/280 gid/egid:280/280, parent /usr/bin/cron[cron:32466] uid/euid:0/0 gid/egid:0/0

```

/usr is also another partition.

I tried using ``defaults'' as the fstab option to mount /home and /usr as suggested by https://forums.gentoo.org/viewtopic.php?p=873840 but it doesn't help at all. The last post of that thread comments on writing the options after user/s but I trully don't know what it means, and as it says, the options are reset to ones I don't want.

Thank you all for your help.

----------

## Acronis

I have the same problem. Is there any solution for this problem?

----------

## schachti

Did you enable CONFIG_GRKERNSEC_TPE? I think TPE is causing your problem...

----------

## Acronis

yes

I have the following settings

kernel.grsecurity.tpe = 1

kernel.grsecurity.tpe_gid = 1234

What should I do now?

The user must have the same gid as the TPE gid?

----------

## schachti

It depends on whether CONFIG_GRKERNSEC_TPE_ALL and/or CONFIG_GRKERNSEC_TPE_INVERT are set.

----------

## Acronis

/boot/config:CONFIG_GRKERNSEC_TPE_INVERT=y

/boot/config:CONFIG_GRKERNSEC_TPE_ALL=y

hmm

----------

## schachti

 *Acronis wrote:*   

> /boot/config:CONFIG_GRKERNSEC_TPE_INVERT=y
> 
> /boot/config:CONFIG_GRKERNSEC_TPE_ALL=y
> 
> 

 

In this case, your user has to be a member of the group given by the option CONFIG_GRKERNSEC_TPE_GID (1234 in your case?). This is well explained in the help text in the kernel config.  :Wink: 

----------

## Acronis

/etc/group

testgroup:x:1234:testuser

I have add the user testuser into the group testgroup but it doesn't work.

----------

## mikb

 *Acronis wrote:*   

> /etc/group
> 
> testgroup:x:1234:testuser
> 
> I have add the user testuser into the group testgroup but it doesn't work.

 

Didn't work for me either - I had to use sysctl to change kernel.grsecurity.tpe to 0.

Then my personal scripts worked.

Someone else described this as "well explained". I don't think so. Well explained would include documentation on tuning it to allow fairly normal things - like personal scripts.

----------

