| 1 |
Dear Alex, |
| 2 |
|
| 3 |
Your one liner triggers the message on my system: |
| 4 |
"grsec: (atoth:U:/) denied resource overstep by requesting 137445376 for |
| 5 |
RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:23459] |
| 6 |
uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:23425] |
| 7 |
uid/euid:1000/1000 gid/egid:100/100" |
| 8 |
|
| 9 |
The only cron job which contains "rm" is rkhunter's daily script. However |
| 10 |
the message showed up very rarely on my system. And not always with "rm". |
| 11 |
Since I could find a way to reproduce it, I pushed that issue in the |
| 12 |
background and stayed there for long until now. |
| 13 |
|
| 14 |
To pageexec: |
| 15 |
I'm reporting the symptom using a 2.6.27-hardened, which is based on |
| 16 |
2.6.27.4 and uses grsec-2.1.12-2.6.27.4-200811011834 |
| 17 |
|
| 18 |
To Alex: |
| 19 |
CONFIG_GRKERNSEC_RESLOG is the kernel option IMHO which makes these |
| 20 |
messages visible. That's why you can't see it with PaX alone. It can be an |
| 21 |
error how grsec tries to detect limit violations, but there can also be a |
| 22 |
flaw in the implementation in some userspace component of the system. |
| 23 |
I usually have some of these while I'm listening to music: |
| 24 |
grsec: (atoth:U:/usr/bin/audacious) denied resource overstep by requesting |
| 25 |
135168 for RLIMIT_MEMLOCK against limit 32768 for |
| 26 |
/usr/bin/audacious[audacious:24077] uid/euid:1000/1000 gid/egid:100/100, |
| 27 |
parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 |
| 28 |
and usual report about signal 11s for eg. with java while browsing. Of |
| 29 |
course that RLMIT_MEMLOCK value requested is not so insane like that for |
| 30 |
perl & pwd. |
| 31 |
|
| 32 |
Question is: do you use a hardened toolchain pie-ssp enabled, or a |
| 33 |
regular? It would be interesting to test it using a non-hardened userland |
| 34 |
with a grsec-enabled kernel... |
| 35 |
|
| 36 |
Regards, |
| 37 |
Dw. |
| 38 |
-- |
| 39 |
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 |
| 40 |
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
| 41 |
|
| 42 |
On Hét, November 10, 2008 10:24, Alex Efros wrote: |
| 43 |
> Hi! |
| 44 |
> |
| 45 |
> On Mon, Nov 10, 2008 at 07:13:52AM +0100, atoth@××××××××××.hu wrote: |
| 46 |
>> It would be good from Alex to provide his recipe for me to try out. |
| 47 |
> |
| 48 |
> This one doesn't trigger it on your system? |
| 49 |
> for i in $(seq 1 10); do perl -e 'exec @ARGV' /bin/pwd; done |
| 50 |
> Can you show your cron job then? |
| 51 |
> |
| 52 |
> -- |
| 53 |
> WBR, Alex. |
| 54 |
> |
Archives