| 1 |
On Mon, 29 Sep 2008 19:57:02 +0300 |
| 2 |
Alex Efros <powerman@××××××××××××××××××.com> wrote: |
| 3 |
|
| 4 |
> > why those events occured is another question and each case needs |
| 5 |
> > its own investigation. for example overstepping the default 8MB |
| 6 |
> > stack limit by 180MB sounds like a memory corruption problem or |
| 7 |
> > something trying to pass an inordinate amount of data on the stack |
| 8 |
> > (say, in the environment). whether that was because of e.g., a bug |
| 9 |
> > in a script on your server or an exploit attempt is hard to tell |
| 10 |
> > after the fact. also the AS limit overstep is a known issue, qmail |
| 11 |
> > tries to be smart and fails to estimate its own memory needs. |
| 12 |
> |
| 13 |
> Now I've smaller example. I've executed this command 10 times: |
| 14 |
> perl -e 'exec "/bin/pwd"' |
| 15 |
> and got 5 records in logs, listed below. |
| 16 |
> Executing just: |
| 17 |
> /bin/pwd |
| 18 |
> or |
| 19 |
> bash -c 'exec /bin/pwd' |
| 20 |
> many times doesn't result in grsec alerts. |
| 21 |
> If you wanna say "it's because of perl", I'd like to remind you - |
| 22 |
> there was no perl scripts between tcpserver and qmail-smtpd before, |
| 23 |
> the command looks this way: |
| 24 |
> /usr/bin/tcpserver -p -v -R -x /etc/tcprules.d/tcp.qmail-smtp.cdb |
| 25 |
> \ -c 40 -u 201 -g 200 0.0.0.0 smtp /var/qmail/bin/qmail-smtpd |
| 26 |
> |
| 27 |
> Didn't you think it's good idea to trace this issue? It may be a bug |
| 28 |
> in grsec... anyway, usual hardened system shouldn't produce such a |
| 29 |
> warnings in logs just because somebody call exec() from perl script |
| 30 |
> or use qmail. |
| 31 |
|
| 32 |
What's the output of `strace perl -e 'exec "/bin/pwd"' 2>&1 \ |
| 33 |
|grep -i rlimit`? |
| 34 |
|
| 35 |
Also try invoking perl with `env -i` to rule out any environment issues. |
| 36 |
|
| 37 |
--atj |
Archives