Page 1 of 1

Various problems with grsec?

PostPosted: Sun Dec 19, 2004 7:28 pm
by gr
I'm running a server with a grsec enabled 2.4.25 kernel. It hasn't been rebooted for 296 days until now, and it's been working perfectly until just before the reboot. I'm not quite sure if this actually is a grsec problem or not, but the log is filled with these messages concerning spamassassin:

Dec 20 00:27:25 velocity kernel: grsec: From 213.218.116.165: attempted resource overstep by requesting 2050752 for RLIMIT_DATA against limit 2048000 by (spamd:15935) UID(99) EUID(99), parent (spamd:23082) UID(99) EUID(99)
Dec 20 00:27:43 velocity kernel: grsec: From 194.51.131.66: attempted resource overstep by requesting 2050752 for RLIMIT_DATA against limit 2048000 by (spamd:22302) UID(99) EUID(99), parent (spamd:23082) UID(99) EUID(99)
Dec 20 00:27:43 velocity kernel: grsec: From 194.51.131.66: attempted resource overstep by requesting 2050752 for RLIMIT_DATA against limit 2048000 by (spamd:22302) UID(99) EUID(99), parent (spamd:23082) UID(99) EUID(99)
Dec 20 00:27:45 velocity kernel: grsec: From 69.110.207.82: attempted resource overstep by requesting 2050752 for RLIMIT_DATA against limit 2048000 by (spamd:14894) UID(99) EUID(99), parent (spamd:23082) UID(99) EUID(99)

And there's other problems as well:

[root@velocity linux-2.4.25]# make menuconfig
rm -f include/asm
( cd include ; ln -sf asm-i386 asm)
make -C scripts/lxdialog all
make[1]: Entering directory `/usr/src/linux-2.4.25/scripts/lxdialog'
make[1]: Leaving directory `/usr/src/linux-2.4.25/scripts/lxdialog'
/bin/sh scripts/Menuconfig arch/i386/config.in
Using defaults found in .config
Preparing scripts: functions, parsing.....................................................scripts/Menuconfig: xmalloc: cannot allocate 9 bytes (0 bytes allocated)
make: *** [menuconfig] Error 2
[root@velocity linux-2.4.25]#


After a couple of hours with those messages qmail stopped working as well, and I booted the server hoping that would solve the problems. Qmail is up and running again, but I'm still getting the same messages trying to run make menuconfig and spamassassin, and Apache won't start:

[Mon Dec 20 00:32:01 2004] [warn] (24)Too many open files: unable to open a file descriptor above 15, you may need to increase the number of descriptors
fopen: Too many open files

Dec 20 00:33:13 velocity kernel: grsec: From 213.225.76.xxx: attempted resource overstep by requesting 50 for RLIMIT_NOFILE against limit 50 by (httpd:13952) UID(0) EUID(0), parent (apachectl:534) UID(0) EUID(0)
Dec 20 00:33:13 velocity last message repeated 4 times

Any suggestions?

PostPosted: Sun Dec 19, 2004 8:05 pm
by gr
I managed to get Apache up and running again, by setting ulimit -n higher (it was set to 50), but this is something Apache should, and always has, fix itselfes. However it seems like the kernel is stopping that from happening. I don't get why this suddenly started happening after 296 days of normal operation...

PostPosted: Mon Dec 20, 2004 8:42 am
by spender
Could be the kernel leaking memory. Though grsecurity isn't to blame, because we don't allocate memory at runtime, only at startup. You should update to the latest version of grsecurity and Linux, as old versions aren't supported.

-Brad

PostPosted: Mon Dec 20, 2004 8:47 am
by gr
Thanks.

I've been trying to update the kernel, but make menuconfig fails. I'm going to try configuring the kernel on another machine later and copying the .config. Hopefully compiling the kernel will work. The server is located off-site (300 miles away), so it's a true pain messing with the kernel on it. :?

What I don't get is why this started now, after 296 days uptime, and why it continues after reboots. I've also tried booting up the old 2.4.20 kernel (with grsec), but it's the same with that one. Could it be faulty hardware ram?

PostPosted: Mon Dec 20, 2004 2:32 pm
by gr
Is it possible to change the RLIMIT_DATA limit anywhere?

PostPosted: Tue Dec 21, 2004 9:55 pm
by devastor
Look at your /etc/security/limits.conf if it's just a limit set by pam.
'ulimit -a' and 'ulimit -d unlimited' might be useful, too, if your shell supports them..

PostPosted: Wed Dec 22, 2004 3:45 am
by gr
Geez! You just made me figure out what an ass I've been. I'm taking home the stupidest sysadmin of the year award for sure!

I couldn't understand why these limits suddenly appeared, and what the hell was going on. I knew about limits/ulimit, just not that the -d option applied to RLIMIT_DATA, so I didn't check limits.conf. Someone must've druged me for days.

When I checked the file now and saw the restricted group for regular users, I just realized I put my own unprivileged user in that group some days ago, and didn't relogin until several days after, su -'ed to root, had the restrictions from my unprivileged user follow me, restarted spamassassin, and from there and on everything was fucked up...

I'm happy again. Thanks! :)