Page 1 of 1

rlimit_stack

PostPosted: Mon Mar 17, 2003 10:06 am
by nyx
I found those messages in logs:

grsec: attempted resource overstep by requesting 8392704 for RLIMIT_STACK against limit 8388608 by (httpd:20544) UID(999) EUID(999), parent (httpd:7002) UID(0) EUID(0)
grsec: possible exploit bruteforcing on (httpd:20544) UID(999) EUID(999), parent (httpd:7002) UID(0) EUID(0) Banning execution of [08:07:8407960] for 600 seconds

where exactly should I look to correct this? (I set bigger value via ulimit -s now)

PostPosted: Mon Mar 17, 2003 10:22 am
by spender
You should first look into finding out why apache is crashing. Check your error logs.

-Brad

PostPosted: Mon Mar 17, 2003 10:58 am
by nyx
error logs are ok - no error messages there

I checked apache error logs and /var/log/*

the only things is error about maxclients reached in apache error_log - but that should be ok - it's meant to be configured that way...

Re: rlimit_stack BUG

PostPosted: Sat Mar 29, 2003 11:54 am
by erich
grsecurity has some bug there...
i'm running wolk, which includes grsecurity 1.99e.
I get the following message during system startup:

kernel: grsec: attempted resource overstep by requesting 49430528 for RLIMIT_STACK against limit 8388608 by (pidof:1154) UID(0) EUID(0), parent (init:1) UID(0) EUID(0)

Now that certainly isn't pidof or init's fault, is it?

PostPosted: Sat Mar 29, 2003 3:43 pm
by spender
It's definitely not init's fault. It must be a bug in pidof. grsecurity isn't causing the sigsegv, it's just reporting it.

-Brad

PostPosted: Sun Mar 30, 2003 8:32 am
by erich
Or the reporting is broken?
pidof won't mess with the stack rlimit, will it?

PostPosted: Sun Mar 30, 2003 9:04 am
by spender
sure it could. It could have had a bug that caused it to try to modify some location outside of the stack, or it could have gone into an infinite loop causing a stack overflow. The reporting is correct. If you weren't using grsecurity, you most likely would never have known.

-Brad