rlimit_stack

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

rlimit_stack

Postby nyx » Mon Mar 17, 2003 10:06 am

I found those messages in logs:

grsec: attempted resource overstep by requesting 8392704 for RLIMIT_STACK against limit 8388608 by (httpd:20544) UID(999) EUID(999), parent (httpd:7002) UID(0) EUID(0)
grsec: possible exploit bruteforcing on (httpd:20544) UID(999) EUID(999), parent (httpd:7002) UID(0) EUID(0) Banning execution of [08:07:8407960] for 600 seconds

where exactly should I look to correct this? (I set bigger value via ulimit -s now)
nyx
 
Posts: 3
Joined: Sat Aug 03, 2002 4:53 pm

Postby spender » Mon Mar 17, 2003 10:22 am

You should first look into finding out why apache is crashing. Check your error logs.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby nyx » Mon Mar 17, 2003 10:58 am

error logs are ok - no error messages there

I checked apache error logs and /var/log/*

the only things is error about maxclients reached in apache error_log - but that should be ok - it's meant to be configured that way...
nyx
 
Posts: 3
Joined: Sat Aug 03, 2002 4:53 pm

Re: rlimit_stack BUG

Postby erich » Sat Mar 29, 2003 11:54 am

grsecurity has some bug there...
i'm running wolk, which includes grsecurity 1.99e.
I get the following message during system startup:

kernel: grsec: attempted resource overstep by requesting 49430528 for RLIMIT_STACK against limit 8388608 by (pidof:1154) UID(0) EUID(0), parent (init:1) UID(0) EUID(0)

Now that certainly isn't pidof or init's fault, is it?
erich
 
Posts: 3
Joined: Sat Mar 29, 2003 11:32 am

Postby spender » Sat Mar 29, 2003 3:43 pm

It's definitely not init's fault. It must be a bug in pidof. grsecurity isn't causing the sigsegv, it's just reporting it.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby erich » Sun Mar 30, 2003 8:32 am

Or the reporting is broken?
pidof won't mess with the stack rlimit, will it?
erich
 
Posts: 3
Joined: Sat Mar 29, 2003 11:32 am

Postby spender » Sun Mar 30, 2003 9:04 am

sure it could. It could have had a bug that caused it to try to modify some location outside of the stack, or it could have gone into an infinite loop causing a stack overflow. The reporting is correct. If you weren't using grsecurity, you most likely would never have known.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support

cron