Ubuntu 22.04 causes grsecurity/PaX filebot error

Support for Ubuntu and other Desktop Linux distributions
Post Reply
ChromeQ
Posts: 8
Joined: 18 Nov 2019, 06:13

Ubuntu 22.04 causes grsecurity/PaX filebot error

Post by ChromeQ »

I recently updated to Ubuntu 22.04.2 with kernel 5.15.0-69, and since then I have trouble calling filebot from another bash script. It does however run fine when I call the same filebot command from my user or sudo.
My setup is as follows, transmission-daemon has a `"script-torrent-done-filename": "torrent-completed.sh",` this is called fine and logs as expected. This script then usually calls filebot with fn:amc but in this example it simply calls `filebot -version` and outputs the following error:

Code: Select all

2023-04-13 10:40:42 Running torrent-completed script as user: uid=128(debian-transmission) gid=134(debian-transmission) groups=134(debian-transmission),1001(media) // <-- logged from torrent-completed.sh
    /home/dav/Downloads/Ted.Lasso.S03E05.720p.WEB.H264-CAKES[rarbg] // <-- logged from torrent-completed.sh
    Torrent completed script - default filebot command to be used // <-- logged from torrent-completed.sh
Error occurred during initialization of VM
Failed to mark memory page as executable - check if grsecurity/PaX is enabled
The bash script looks like this: (TR_TORRENT_DIR and TR_TORRENT_NAME provided by transmission-daemon)

Code: Select all

#!/bin/bash
LOG=/etc/transmission-daemon/torrent-completed.log
echo -e "\n$DATE Running torrent-completed script as user: `id`" | tee -a $LOG
echo "    $TR_TORRENT_DIR/$TR_TORRENT_NAME" | tee -a $LOG
echo "    Torrent completed script - default filebot command to be used" | tee -a $LOG
filebot -version 2>&1 | tee -a $LOG
I've updated filebot to the latest version using the .deb file

Code: Select all

# filebot -version
FileBot 5.0.2 (r9722) / OpenJDK Runtime Environment 17.0.6
ChromeQ
Posts: 8
Joined: 18 Nov 2019, 06:13

Re: Ubuntu 22.04 causes grsecurity/PaX filebot error

Post by ChromeQ »

I have tried various things regarding PaX including running paxctl -pemrsx `which java` (which I found here https://unix.stackexchange.com/question ... -with-paxd to disable pax security for java).
I also did the same for the java located in the filebot/jre/bin/java as referenced in the filebot/bin/filebot.sh but the same result.

Code: Select all

# paxctl -v /usr/share/filebot/jre/bin/java
PaX control v0.9
Copyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <[email protected]>

- PaX flags: -p-s-m-x-e-r [/usr/share/filebot/jre/bin/java]
	PAGEEXEC is disabled
	SEGMEXEC is disabled
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is disabled
	RANDMMAP is disabled
User avatar
rednoah
The Source
Posts: 22923
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: Ubuntu 22.04 causes grsecurity/PaX filebot error

Post by rednoah »

Looks like the JVM crashes on startup, so no FileBot-specific code is ever executed:

Code: Select all

Error occurred during initialization of VM
Failed to mark memory page as executable - check if grsecurity/PaX is enabled


ChromeQ wrote: 13 Apr 2023, 00:55 It does however run fine when I call the same filebot command from my user or sudo.
That's a clue. Perhaps printenv will tell us what is different?




EDIT:

Using the apt repository may work better for you, instead of manually installing the *_amd64.deb package: https://serverfault.com/a/1115616/341621
:idea: Please read the FAQ and How to Request Help.
ChromeQ
Posts: 8
Joined: 18 Nov 2019, 06:13

Re: Ubuntu 22.04 causes grsecurity/PaX filebot error

Post by ChromeQ »

The printenv for root user is

Code: Select all

_=/usr/bin/printenv
HOME=/root
LANG=en_AU.UTF-8
LANGUAGE=en_AU:en
LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libGL.so.1
LESSCLOSE=/usr/bin/lesspipe %s %s
LESSOPEN=| /usr/bin/lesspipe %s
LOGNAME=root
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
MAIL=/var/mail/root
OLDPWD=/home/dav
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
PWD=/etc/transmission-daemon
SHELL=/bin/bash
SHLVL=1
SUDO_COMMAND=/usr/bin/su
SUDO_GID=1000
SUDO_UID=1000
SUDO_USER=dav
TERM=xterm-256color
USER=root
And for the debian-transmission user that executes the torrent-completed.sh script:

Code: Select all

_=/usr/bin/printenv
HOME=/etc/transmission-daemon
INVOCATION_ID=4cedca30487e4ba6809450c98dd26c81
JOURNAL_STREAM=8:21398
LANG=en_AU.UTF-8
LANGUAGE=en_AU:en
LOGNAME=debian-transmission
NOTIFY_SOCKET=/run/systemd/notify
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
PWD=/
SHLVL=0
SYSTEMD_EXEC_PID=847
TR_APP_VERSION=4.0.2
TR_TIME_LOCALTIME=Thu Apr 13 17:03:39 2023
TR_TORRENT_BYTES_DOWNLOADED=0
TR_TORRENT_DIR=/home/dav/Downloads
TR_TORRENT_HASH=618a197c2872caed979650d6f29490abc954614b
TR_TORRENT_ID=20
TR_TORRENT_LABELS=
TR_TORRENT_NAME=Ted.Lasso.S03E05.720p.WEB.H264-CAKES[rarbg]
TR_TORRENT_TRACKERS=tracker.coppersurfer.tk:6969,explodie.org:6969,9.rarbg.to:2980
USER=debian-transmission
Quite a few differences but not sure which may be causing the issue.

I'll try the apt install now and report back
ChromeQ
Posts: 8
Joined: 18 Nov 2019, 06:13

Re: Ubuntu 22.04 causes grsecurity/PaX filebot error

Post by ChromeQ »

Same result with apt install of filebot - where the java used is the system one rather than the local jre/java one.

Code: Select all

2023-04-13 17:57:39 Running torrent-completed script as user: uid=128(debian-transmission) gid=134(debian-transmission) groups=134(debian-transmission),1001(media)
    /home/dav/Downloads/Ted.Lasso.S03E05.720p.WEB.H264-CAKES[rarbg]
    Torrent completed script - default filebot command to be used
Running filebot.sh as user: uid=128(debian-transmission) gid=134(debian-transmission) groups=134(debian-transmission),1001(media)
Using java: /usr/bin/java
Error occurred during initialization of VM
Failed to mark memory page as executable - check if grsecurity/PaX is enabled
NOTE: I added the `Running filebot.sh` and `Using java` lines to the filebot/bin/filebot.sh file

NOTE II: I also ensured the system java located at /usr/bin/java is PaX disabled but same result:

Code: Select all

# paxctl -v /usr/bin/java
PaX control v0.9
Copyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <[email protected]>

- PaX flags: -p-s-m-x-e-r [/usr/bin/java]
	PAGEEXEC is disabled
	SEGMEXEC is disabled
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is disabled
	RANDMMAP is disabled
ChromeQ
Posts: 8
Joined: 18 Nov 2019, 06:13

Re: Ubuntu 22.04 causes grsecurity/PaX filebot error

Post by ChromeQ »

I finally cracked it. And although this wasn't a problem with filebot I will put the solution here in case anybody finds a similar issue in the future.

By trying to mess around with `sudo -u` to call another script as my user rather than `debian-transmission` I finally got a different error message:

Code: Select all

If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
Sudo was run by a process that has the Linux “no new privileges” flag set.
That gave me a lead to search for "privileges" in the transmission-daemon source code on github which led me to https://github.com/transmission/transmi ... ssues/1951 and https://github.com/transmission/transmission/pull/795

So the problem is with transmission-daemon running on linux with systemd 227 or greater, which hardened the security and file access, which affected the torrent completed scripts (and probably other scripts too but this is the only one I was using and tested)

According to those discussions it should have been as simple as setting `NoNewPrivileges=false` but unfortunately that wasn't enough for me.
After a lot more trial and error and process of elimination on turning off the services in the transmission-daemon service file "/lib/systemd/system/transmission-daemon.service"

What worked for me was changing these particular lines to match this:

Code: Select all

NoNewPrivileges=true
MemoryDenyWriteExecute=false
ProtectSystem=false
PrivateTmp=true
Now everything works!!
Post Reply