1 |
On Mon, 29 Sep 2008 19:57:02 +0300 |
2 |
Alex Efros <powerman@××××××××××××××××××.com> wrote: |
3 |
|
4 |
> > why those events occured is another question and each case needs |
5 |
> > its own investigation. for example overstepping the default 8MB |
6 |
> > stack limit by 180MB sounds like a memory corruption problem or |
7 |
> > something trying to pass an inordinate amount of data on the stack |
8 |
> > (say, in the environment). whether that was because of e.g., a bug |
9 |
> > in a script on your server or an exploit attempt is hard to tell |
10 |
> > after the fact. also the AS limit overstep is a known issue, qmail |
11 |
> > tries to be smart and fails to estimate its own memory needs. |
12 |
> |
13 |
> Now I've smaller example. I've executed this command 10 times: |
14 |
> perl -e 'exec "/bin/pwd"' |
15 |
> and got 5 records in logs, listed below. |
16 |
> Executing just: |
17 |
> /bin/pwd |
18 |
> or |
19 |
> bash -c 'exec /bin/pwd' |
20 |
> many times doesn't result in grsec alerts. |
21 |
> If you wanna say "it's because of perl", I'd like to remind you - |
22 |
> there was no perl scripts between tcpserver and qmail-smtpd before, |
23 |
> the command looks this way: |
24 |
> /usr/bin/tcpserver -p -v -R -x /etc/tcprules.d/tcp.qmail-smtp.cdb |
25 |
> \ -c 40 -u 201 -g 200 0.0.0.0 smtp /var/qmail/bin/qmail-smtpd |
26 |
> |
27 |
> Didn't you think it's good idea to trace this issue? It may be a bug |
28 |
> in grsec... anyway, usual hardened system shouldn't produce such a |
29 |
> warnings in logs just because somebody call exec() from perl script |
30 |
> or use qmail. |
31 |
|
32 |
What's the output of `strace perl -e 'exec "/bin/pwd"' 2>&1 \ |
33 |
|grep -i rlimit`? |
34 |
|
35 |
Also try invoking perl with `env -i` to rule out any environment issues. |
36 |
|
37 |
--atj |