Jump to content

KESL rejects connection from kesl-control, gui or nagent due to non-root write permissions [KES for Linux]


Recommended Posts

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Problem

There are several problems with similar causes:

1) KESL postinstall script produces error.

Warning: Failed to set up KSN

2) KESL is installed and running. However, the kesl-control command outputs something like that:

kesl-control --app-info

Connection refused. Invalid user permissions for /var.

Only root user should have write access to this path.


kesl-control --app-info

Could not connect to Kaspersky Endpoint Security 11.2.2 for Linux

3) KESL is installed and running, kesl-control indicates no problems. However, kesl-gui shows the Application is currently unavailable error.

4) KESL is installed and running, nagent indicates no connectivity problems. However, KSC shows that KESL is stopped and can't be started.

Root cause

KESL service implements defensive internal logic which denies connections from not "trusted" processes. One of the causes is that the process executable file or some library it loads can be overwritten by a non-root user:

1) The Owner is not "root".

2) FS write permission is granted to "Group" or "Other".

Such errors often serve as indication of some erratic configuration. For example:

  • You may have changed ACL for /opt or other folder (which is supposed to not be widely accessible) to 777;
  • In Astra Linux, the owner of the /var directory is sometimes changed to the fly-dm service user due to an error in the fly-dm package. Astra developers confirmed this bug and released fix. If the issue reproduces with new fly-dm versions, address Astra support.
  • LD_PRELOAD variable may be used to load arbitrary libraries for any given process including KESL. This is usually the case when you see non-root permissions errors for some third-party libraries.

Solution

To restore proper permissions, use the chown and/or chmod commands:

chown root:root /path/to/folder
chmod g-w,o-w /path/to/folder

Please exercise caution when changing permissions for / and folders straight under /. It depends on the environment which files/folders are checked, thus a complete list cannot be provided.

In new kesl versions, kesl-control output suggests which path has incorrect permissions.

You can check what folders have incorrect permissions using this command:

# ls -ld / /var /var/opt /opt /opt/kaspersky /bin /usr /usr/lib /usr/lib64 | egrep -v '^d.{4}-.{2}-.*root root'

To get a full list of files loaded by KESL or klnagent, you can read /proc/<pid>/maps. Use commands in the example below to filter out all application-specific files that are located in the folders listed above and to see what other files are used:

# cat /proc/$(pidof -s klnagent)/maps | awk '{print $6}' | grep ^/ | grep -v 'kaspersky' | sort | uniq
# cat /proc/$(pidof kesl)/maps | awk '{print $6}' | grep ^/ | grep -v 'kaspersky' | sort | uniq
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...