| 1 |
> ...SKIP...- part1 before disabling grsec2 |
| 2 |
> grsec: attempted resource overstep by requesting 1024 for RLIMIT_NOFILE |
| 3 |
> against limit 1024 by /usr/bin/postgres[postmaster:28855] uid/euid:70/70 |
| 4 |
> gid/egid:70/70, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 |
| 5 |
|
| 6 |
i guess this one is not related to artsd, but here's what i know about |
| 7 |
it anyway: for some reason postgresql tries to determine the max fd |
| 8 |
limit by simply duping an fd until it receives an error, that will then |
| 9 |
run into grsec rlimit enforcement and the message above. i read on one |
| 10 |
of their mailing lists a while ago that this was supposed to be fixed: |
| 11 |
|
| 12 |
http://groups.google.com/groups?threadm=c8abh7%245ap%241%40FreeBSD.csie.NCTU.edu.tw |
| 13 |
|
| 14 |
> ...SKIP... - part2 after disabling grsec2 |
| 15 |
> grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE |
| 16 |
> against limit 0 by |
| 17 |
> /var/tmp/portage/arts-1.3.0/work/arts-1.3.0/mcopidl/.libs/lt-mcopidl[lt-mcopidl:4517] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:4516] uid/euid:0/0 gid/egid:0/0 |
| 18 |
> grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE |
| 19 |
> against limit 0 by |
| 20 |
> /var/tmp/portage/arts-1.3.0/work/arts-1.3.0/mcopidl/.libs/lt-mcopidl[lt-mcopidl:4526] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:4516] uid/euid:0/0 gid/egid:0/0 |
| 21 |
> ...END... |
| 22 |
|
| 23 |
this is just a report that lt-mcopidl crashed or was killed, it doesn't |
| 24 |
tell us the reason. did you get PaX kill messages beforehand (in which |
| 25 |
case it would be a runtime code generation issue)? if not, then it's a |
| 26 |
'normal' crash, needs debugging. for this you have to enable coredumps |
| 27 |
('ulimit -c unlimited' in your shell before you run emerge) then look at |
| 28 |
the coredump in gdb and post some info like 'bt', 'info reg', 'x/8i $eip', |
| 29 |
'x/16x $esp', etc. |
| 30 |
|
| 31 |
> Just a non-related question: could i use the 'default' spec GCC file |
| 32 |
> (change it manually) to compile something and after that restore the |
| 33 |
> default (hardened.spec)? |
| 34 |
|
| 35 |
yes you can, but normally you can just set CFLAGS to disable ssp/pie if |
| 36 |
they're causing problems. there're already safeguards against some flag |
| 37 |
combinations that disable one or the other, if some case is not covered |
| 38 |
in the specs then that's a bug ;-). |
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
-- |
| 43 |
gentoo-hardened@g.o mailing list |
Archives