| 1 |
I've recently tried hardened-sources-3.3.0 |
| 2 |
(grsecurity-2.9-3.3.0-201203251922) and dovecot stopped working properly. |
| 3 |
All other deamons seem to tolerate eachother with 3.3.0-grsec, except for |
| 4 |
dovecot. |
| 5 |
|
| 6 |
Here are the error messages I see in mail.log: |
| 7 |
Apr 4 21:55:55 replaced dovecot: imap: Error: dovecot/imap: error while |
| 8 |
loading shared libraries: libpthread.so.0: failed to map segment from |
| 9 |
shared object: Cannot allocate memory |
| 10 |
Apr 4 21:55:55 replaced dovecot: master: Error: service(imap): command |
| 11 |
startup failed, throttling for 2 secs |
| 12 |
Apr 4 21:55:55 replaced dovecot: imap: Fatal: master: service(imap): |
| 13 |
child 6275 returned error 127 |
| 14 |
Apr 4 21:55:55 replaced dovecot: imap-login: Error: read(imap) failed: |
| 15 |
Connection reset by peer |
| 16 |
Apr 4 21:55:55 replaced dovecot: imap-login: Internal login failure |
| 17 |
(pid=6272 id=1) (internal failure, 1 succesful auths): user=<replaced>, |
| 18 |
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured |
| 19 |
Apr 4 21:56:13 replaced dovecot: master: Error: service(imap-login): |
| 20 |
command startup failed, throttling for 2 secs |
| 21 |
Apr 4 21:56:13 replaced dovecot: imap-login: Fatal: master: |
| 22 |
service(imap-login): child 6309 killed with signal 9 |
| 23 |
|
| 24 |
restarting the daemon |
| 25 |
Apr 4 21:59:43 replaced dovecot: master: Warning: Killed with signal 15 |
| 26 |
(by pid=6390 uid=0 code=kill) |
| 27 |
Apr 4 21:59:53 replaced dovecot: master: Dovecot v2.1.3 starting up (core |
| 28 |
dumps disabled) |
| 29 |
daemon restarted |
| 30 |
|
| 31 |
Apr 4 22:00:43 replaced dovecot: master: Error: service(imap-login): |
| 32 |
command startup failed, throttling for 2 secs |
| 33 |
Apr 4 22:00:43 replaced dovecot: imap-login: Fatal: master: |
| 34 |
service(imap-login): child 6450 killed with signal 9 |
| 35 |
Apr 4 22:05:12 replaced dovecot: imap-login: Login: user=<replaced>, |
| 36 |
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=6484, secured |
| 37 |
Apr 4 22:05:12 replaced dovecot: imap(replaced): Disconnected: Logged out |
| 38 |
in=44 out=721 |
| 39 |
Apr 4 22:05:13 replaced dovecot: imap-login: Error: dovecot/imap-login: |
| 40 |
error while loading shared libraries: libcrypto.so.1.0.0: failed to map |
| 41 |
segment from shared object: Cannot allocate memory |
| 42 |
Apr 4 22:05:13 replaced dovecot: master: Error: service(imap-login): |
| 43 |
command startup failed, throttling for 2 secs |
| 44 |
Apr 4 22:05:13 replaced dovecot: imap-login: Fatal: master: |
| 45 |
service(imap-login): child 6486 returned error 127 |
| 46 |
Apr 4 22:05:15 replaced dovecot: imap-login: Login: user=<replaced>, |
| 47 |
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=6488, secured |
| 48 |
Apr 4 22:05:17 replaced dovecot: imap(replaced): Disconnected: Logged out |
| 49 |
in=43541 out=178193 |
| 50 |
|
| 51 |
I only see some RLIMIT_AS lines in grsec.log, no other relevant messages: |
| 52 |
Apr 4 22:00:43 replaced kernel: grsec: From 10.97.100.79: |
| 53 |
(root:U:/usr/libexec/dovecot/imap-login) denied resource overstep by |
| 54 |
requesting 63205376 for RLIMIT_AS against limit 16777216 for |
| 55 |
/usr/libexec/dovecot/imap-login[imap-login:6450] uid/euid:0/0 |
| 56 |
gid/egid:0/0, parent /usr/sbin/dovecot[dovecot:6409] uid/euid:0/0 |
| 57 |
gid/egid:0/0 |
| 58 |
Apr 4 22:05:13 replaced kernel: grsec: |
| 59 |
(root:U:/usr/libexec/dovecot/imap-login) denied resource overstep by |
| 60 |
requesting 17612800 for RLIMIT_AS against limit 16777216 for |
| 61 |
/usr/libexec/dovecot/imap-login[imap-login:6486] uid/euid:0/0 |
| 62 |
gid/egid:0/0, parent /usr/sbin/dovecot[dovecot:6409] uid/euid:0/0 |
| 63 |
gid/egid:0/0 |
| 64 |
|
| 65 |
The symptom is that I cannot log on to squirrelmail. I could get in |
| 66 |
eventually, but most of the time it fails. The symptoms are present with |
| 67 |
or without activated RBAC. |
| 68 |
|
| 69 |
There were no RLIMIT_AS grsec messages or failed shared library loads |
| 70 |
using hardened-sources-3.2.9 (grsecurity-2.9-3.2.9-201203022148) or |
| 71 |
hardened-sources-3.2.9-r1 (grsecurity-2.9-3.2.9-201203062051). |
| 72 |
|
| 73 |
Should I open a bug report? |
| 74 |
-- |
| 75 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
| 76 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
Archives