Page 1 of 1

grsec kills httpd 5 minutes after last https request

PostPosted: Wed Jan 31, 2007 8:57 am
by johngallet
Hi,

I sometimes get this behavior : last request is ssl request, and 5 minutes later, grsec kills a few httpd processes.
Example :

ssl.log:172.186.118.66 - - [03/Jan/2007:16:14:33 +0100] "GET /index.php?action=register&id_session=jc7pSIwNt91K5NAfaghT4MEuCc HTTP/1.1"
200 36522 "http://www.domain.tld/index.php" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; fr-FR; rv:1.0.2) Gecko/20020924 AOL/7.0"

And 5 minutes later in /var/log/messages :

messages:Jan 3 16:19:34 ns2261 kernel: grsec: From 172.186.118.66: signal 11 sent to /usr/local/apache/bin/httpd[httpd:1
5475] uid/euid:99/99 gid/egid:99/99, parent /usr/local/apache/bin/httpd[httpd:2423] uid/euid:0/0 gid/egid:0/0

messages:Jan 3 16:19:34 ns2261 kernel: grsec: From 172.186.118.66: signal 11 sent to /usr/local/apache/bin/httpd[httpd:1
5475] uid/euid:99/99 gid/egid:99/99, parent /usr/local/apache/bin/httpd[httpd:2423] uid/euid:0/0 gid/egid:0/0

Any hints ?

Some version info :
Linux 2.4.28-grsec
apache 1.3.35
php 5.1.4
OpenSSL 0.9.8b

PS : the capcha image registration is a pain. And I am supposed to see colors correctly.

Re: grsec kills httpd 5 minutes after last https request

PostPosted: Sat Feb 03, 2007 7:39 pm
by PaX Team
johngallet wrote:I sometimes get this behavior : last request is ssl request, and 5 minutes later, grsec kills a few httpd processes.
grsec doesn't directly kill those processes, it merely reports that they were about to dump core due to a sigsegv. why apache would do that is the real question and only debugging one such case can tell us more. so getting and analyzing a coredump and/or catching it live in gdb would be the first thing you should try. i'll also note that you're using a very old kernel, you should consider upgrading and reproduce the problem there.

Re: grsec kills httpd 5 minutes after last https request

PostPosted: Sun Feb 04, 2007 4:57 am
by johngallet
PaX Team wrote:grsec doesn't directly kill those processes, it merely reports that they were about to dump core due to a sigsegv.

Thanks for this information, I was getting confused by the /var/log/messages logs and having it totally wrong.

PaX Team wrote:so getting and analyzing a coredump and/or catching it live in gdb would be the first thing you should try.


Well, so far I have never seen apache producing a real core file because it handles all signals somewhere if I remember well. As for reproducing myself, it will be hard to do, but I can try with an instance on a separate port.

PaX Team wrote:i'll also note that you're using a very old kernel, you should consider upgrading and reproduce the problem there.


I consider upgrading kernels on machines I don't have physical access to as suicidal. Once you got this brand new kernel that does not boot and you're trapped in the early stages of booting on this machine that is 500 miles away, you are basically screwed.

Anyway, thanx for pointing me to the correct way things work !
JG