Hi!
On Mon, Sep 29, 2008 at 06:46:18PM +0200, pageexec@... wrote:
> maybe it's because of what you said:
> > I've no idea why grsec complain in logs about it.
> at this point it's clear that you didn't quite read the description of
> GRKERNSEC_RESLOG which is what you've apparently enabled. in short, grsec
> is doing what you asked it to do: log various resource overstep events.
Not really. :) I know I enabled this item, and I understand what it does.
The question is exactly "what's wrong with qmail-smtpd, why it hit
resource limits?".
> why those events occured is another question and each case needs its own
> investigation. for example overstepping the default 8MB stack limit by
> 180MB sounds like a memory corruption problem or something trying to pass
> an inordinate amount of data on the stack (say, in the environment).
> whether that was because of e.g., a bug in a script on your server or an
> exploit attempt is hard to tell after the fact. also the AS limit overstep
> is a known issue, qmail tries to be smart and fails to estimate its own
> memory needs.
Now I've smaller example. I've executed this command 10 times:
perl -e 'exec "/bin/pwd"'
and got 5 records in logs, listed below.
Executing just:
/bin/pwd
or
bash -c 'exec /bin/pwd'
many times doesn't result in grsec alerts.
If you wanna say "it's because of perl", I'd like to remind you - there
was no perl scripts between tcpserver and qmail-smtpd before, the command
looks this way:
/usr/bin/tcpserver -p -v -R -x /etc/tcprules.d/tcp.qmail-smtp.cdb \
-c 40 -u 201 -g 200 0.0.0.0 smtp /var/qmail/bin/qmail-smtpd
Didn't you think it's good idea to trace this issue? It may be a bug in
grsec... anyway, usual hardened system shouldn't produce such a warnings
in logs just because somebody call exec() from perl script or use qmail.
2008-09-29_16:49:11.85806 kern.alert: grsec: denied resource overstep by requesting 110424064 for RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18143] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:28139] uid/euid:1000/1000 gid/egid:100/100
2008-09-29_16:49:17.16897 kern.alert: grsec: denied resource overstep by requesting 124620800 for RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18250] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:28139] uid/euid:1000/1000 gid/egid:100/100
2008-09-29_16:49:19.20874 kern.alert: grsec: denied resource overstep by requesting 137330688 for RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18300] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:28139] uid/euid:1000/1000 gid/egid:100/100
2008-09-29_16:49:21.16078 kern.alert: grsec: denied resource overstep by requesting 187035648 for RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18345] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:28139] uid/euid:1000/1000 gid/egid:100/100
2008-09-29_16:49:23.64000 kern.alert: grsec: denied resource overstep by requesting 146747392 for RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18398] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:28139] uid/euid:1000/1000 gid/egid:100/100
--
WBR, Alex.
|
