grsecurity forums

Skip to content

Troubles with daemontools and PaX

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

Troubles with daemontools and PaX

Postby ah » Mon Jan 24, 2005 9:52 am

I've got troubles with daemontools and PaX (current grsecurity against Linux 2.4.28, configured as suggest in http://grsecurity.net/quickstart.pdf):

Jan 24 13:45:13 sdsvl kernel: PAX: execution attempt in: <anonymous mapping>, 5b410000-5b412000 fffff000
Jan 24 13:45:13 sdsvl kernel: PAX: terminating task: /package/admin/daemontools-0.76/command/supervise(supervise):26385, uid/euid: 0/0, PC: 5b4109ac, SP:
5b4106dc
Jan 24 13:45:13 sdsvl kernel: PAX: bytes at PC: 58 b8 77 00 00 00 cd 80 b8 95 04 08 dc 09 41 5b 02 00 00 00
Jan 24 13:45:13 sdsvl kernel: grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /package/admin/daemontools-0.76/command/supervise[supervise:26385] uid/euid:0/0 gid/egid:0/0, parent /package/admin/daemontools-0.76/command/svscan[svscan:9034] uid/euid:0/0 gid/egid:0/0

As suggested in http://grsecurity.net/quickstart.pdf (last page), I ran paxctl to disable pax for supervise:

paxctl -spmr /package/admin/daemontools-0.76/command/supervise

Doesn't help. What am I doing wrong?
ah
 
Posts: 4
Joined: Mon Jan 24, 2005 9:45 am
Top

Postby onyx » Mon Jan 24, 2005 12:10 pm

Do you have the patched binutils? Paxtcl works only with patched binutils. If you don't have it, try chpax instead of paxctl. (Eg if you have an old woody system)

Balint
onyx
 
Posts: 36
Joined: Tue Jan 20, 2004 7:46 pm
Top

Postby ah » Mon Jan 24, 2005 1:01 pm

Yeah, that's it. Thank you very much :)
ah
 
Posts: 4
Joined: Mon Jan 24, 2005 9:45 am
Top

Re: Troubles with daemontools and PaX

Postby PaX Team » Mon Jan 24, 2005 6:45 pm

ah wrote:Jan 24 13:45:13 sdsvl kernel: PAX: bytes at PC: 58 b8 77 00 00 00 cd 80 b8 95 04 08 dc 09 41 5b 02 00 00 00
it's the sigreturn trampoline, your glibc should be using its own, not the one provided by the kernel, better look around and see what went wrong there.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Postby ah » Mon Jan 24, 2005 7:01 pm

I'm everything else but an expert there. What could be the reason for the "wrong" glibc?
ah
 
Posts: 4
Joined: Mon Jan 24, 2005 9:45 am
Top

Postby PaX Team » Tue Jan 25, 2005 1:40 am

ah wrote:I'm everything else but an expert there. What could be the reason for the "wrong" glibc?
well, let's check your distro/glibc version first, maybe it's something we've already seen. normally any glibc 2.2+ should be using its own sigreturn code.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Postby ah » Tue Jan 25, 2005 5:32 am

sdsvl:~# cat /etc/debian_version
3.1
sdsvl:~# uname -r
2.4.28-grsec
sdsvl:~# dpkg -p libc6
Package: libc6
...
Source: glibc
Version: 2.3.2.ds1-20
...
Provides: glibc-2.3.2.ds1-20
...
ah
 
Posts: 4
Joined: Mon Jan 24, 2005 9:45 am
Top

Postby PaX Team » Wed Jan 26, 2005 8:35 pm

ah wrote:sdsvl:~# cat /etc/debian_version
3.1
debian's glibc used to have a similar issue but that manifested under 2.6 iirc and it was fixed last summer. so no idea about this one, try to submit a bugreport to their bugzilla.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group