1 |
Dear Alex, |
2 |
|
3 |
Your one liner triggers the message on my system: |
4 |
"grsec: (atoth:U:/) denied resource overstep by requesting 137445376 for |
5 |
RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:23459] |
6 |
uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:23425] |
7 |
uid/euid:1000/1000 gid/egid:100/100" |
8 |
|
9 |
The only cron job which contains "rm" is rkhunter's daily script. However |
10 |
the message showed up very rarely on my system. And not always with "rm". |
11 |
Since I could find a way to reproduce it, I pushed that issue in the |
12 |
background and stayed there for long until now. |
13 |
|
14 |
To pageexec: |
15 |
I'm reporting the symptom using a 2.6.27-hardened, which is based on |
16 |
2.6.27.4 and uses grsec-2.1.12-2.6.27.4-200811011834 |
17 |
|
18 |
To Alex: |
19 |
CONFIG_GRKERNSEC_RESLOG is the kernel option IMHO which makes these |
20 |
messages visible. That's why you can't see it with PaX alone. It can be an |
21 |
error how grsec tries to detect limit violations, but there can also be a |
22 |
flaw in the implementation in some userspace component of the system. |
23 |
I usually have some of these while I'm listening to music: |
24 |
grsec: (atoth:U:/usr/bin/audacious) denied resource overstep by requesting |
25 |
135168 for RLIMIT_MEMLOCK against limit 32768 for |
26 |
/usr/bin/audacious[audacious:24077] uid/euid:1000/1000 gid/egid:100/100, |
27 |
parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 |
28 |
and usual report about signal 11s for eg. with java while browsing. Of |
29 |
course that RLMIT_MEMLOCK value requested is not so insane like that for |
30 |
perl & pwd. |
31 |
|
32 |
Question is: do you use a hardened toolchain pie-ssp enabled, or a |
33 |
regular? It would be interesting to test it using a non-hardened userland |
34 |
with a grsec-enabled kernel... |
35 |
|
36 |
Regards, |
37 |
Dw. |
38 |
-- |
39 |
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 |
40 |
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
41 |
|
42 |
On Hét, November 10, 2008 10:24, Alex Efros wrote: |
43 |
> Hi! |
44 |
> |
45 |
> On Mon, Nov 10, 2008 at 07:13:52AM +0100, atoth@××××××××××.hu wrote: |
46 |
>> It would be good from Alex to provide his recipe for me to try out. |
47 |
> |
48 |
> This one doesn't trigger it on your system? |
49 |
> for i in $(seq 1 10); do perl -e 'exec @ARGV' /bin/pwd; done |
50 |
> Can you show your cron job then? |
51 |
> |
52 |
> -- |
53 |
> WBR, Alex. |
54 |
> |