Page 1 of 1

Apache child gets signal 11, can't run any webmail

PostPosted: Sun May 25, 2003 8:15 am
by drtebi
Hello,
I have been fiddling with this for a while now, I am pretty sure grsec is the one making my life harder...

I have been trying a few different webmail scripts, all in PHP. I am running Gentoo Linux 1.4, Apache 1.3.27, PHP 4.3.1, Qmail, bancimap etc. etc., and grsec version says it's "20030516" (I emerged "grsecurity-base-policy" with the Gentoo system).

These are the grsec settings I have compiled into the Kernel:

Code: Select all
ACL options  --->
[ ] ACL Debugging Messages
(3) Maximum tries before password lockout
(30) Time to wait after max password tries, in seconds   

Filesystem Protections  --->     
[*] Proc restrictions                                                               
[ ]    Restrict to user only                                                       
[ ]    Allow special group
[*] Linking restrictions
[ ] FIFO restrictions
[*] Chroot jail restrictions
[*]    Deny mounts
[*]    Deny double-chroots
[*]    Deny pivot_root in chroot
[*]    Enforce chdir("/") on all chroots
[*]    Deny fchdir outside of chroot
[*]    Deny (f)chmod +s
[*]    Deny mknod
[*]    Protect outside processes
[*]    Restrict priority changes
[ ] Capability restrictions within chroot 

Kernel Auditing  ---> 
[ ] Single group for auditing                                       
[ ] Exec logging                                                                 
[*] Log execs within chroot                                                     
[ ] Chdir logging                                               
[*] (Un)Mount logging                           
[ ] IPC logging                       
[*] Signal logging                                 
[*] Fork failure logging                                     
[*] Time change logging

Executable Protections  --->   
[ ] Exec process limiting                                                       
[*] Dmesg(8) restriction                                                       
[*] Randomized PIDs                                                             
[ ] Trusted path execution

Network Protections  --->     
[*] Randomized IP IDs                                                             
[*] Randomized TCP source ports                                                   
[ ] Randomized RPC XIDs                                                           
[*] Altered Ping IDs                                                             
[ ] Socket restrictions 

Miscellaneous Features  ---> 
(10) Seconds in between log messages (minimum)                                           
(4) Number of messages in a burst (maximum) 


The error I find in my "everything" logfile is:
Code: Select all
[kernel] grsec: signal 11 sent to (httpd:803) UID(65534) EUID(65534), parent (httpd:29604) UID(0) EUID(0)


I have another server at home which is almost exactly the same as the one I am having problems with, except that the one at home does not have grsec installed at all. So when I run the same webmail interface at home, it works fine, I am actually connecting to the "production server" with this interface from home, and get no errors, which means the mail programs don't seem to be the problem. I can read mail via pop and imap online, however, once I install the exact same interface on the production server, it dies right after I try to login, and spits out the error above.

Any help would be appreciated...

PostPosted: Mon May 26, 2003 12:57 pm
by spender
What about PaX settings?

-Brad

PostPosted: Mon May 26, 2003 6:18 pm
by drtebi
Well,
to be honest with you, I just found out about PaX. I have not yet understood what exactly it is, I promise I will read into it...

But if someone could give me a quick hint to get somewhere already, that would be great.

Thanks

PostPosted: Tue May 27, 2003 7:49 am
by PaX Team
drtebi wrote:Well, to be honest with you, I just found out about PaX. I have not yet understood what exactly it is, I promise I will read into it...
PaX implements proper non-executable page semantics and adds randomization to addresses mainly. if an application doesn't like some of it, you would more likely see processes getting killed, not a SIGSEGV. try to grep for PAX in your system logs and see if there were any related events.
But if someone could give me a quick hint to get somewhere already, that would be great.
if PaX is the cause, get http://pageexec.virtualave.net/chpax-0.4.tar.gz and disable some features on httpd (e.g., chpax -sp /path/to/httpd). by the way, what version of grsecurity are you using (20030516 is not a version, or at least it's not clear what it's supposed to mean)?