Sendmail + SASL + PaX trouble

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Sendmail + SASL + PaX trouble

Postby Martinez » Tue Sep 09, 2003 4:29 am

Hi!.

I'm trying to setup a MTA with AUTH and SSL (Sendmail + SASL + OpenSSL). There is no problem in compile-time, but when running sendmail -L sm-mta [...] I've got an PaX error:
Sep 9 09:59:52 ns kernel: PAX: From $IP: terminating task: /usr/sbin/sendmail(sendmail):15132, uid/euid: 0/0, PC: 00000019, SP: 5fb4a2b0
Sep 9 09:59:52 ns kernel: PAX: bytes at PC: <invalid address>.

I'v been trying also to use chpax utility to setup different PaX modes, and I've figured out, that Segmentation based PAGE_EXEC protection is responsible for that behaviour. But when I try to disable this prot, I've got an segmentation fault error when running sendmail.

What I must do to run propertly sendmail MTA + SASL?

Sendmail without SASL is running nice and I have no troubles with that configuration, but I want to protect my line bandwidth from spammers ;)
Also I must say, that sendmails queue runner is working fine.

TIA
Martinez
 
Posts: 6
Joined: Mon Sep 09, 2002 6:12 pm

Postby Julien TINNES » Tue Sep 09, 2003 8:00 pm

Hi,

PaX noexec feature prevents code execution in non executable areas.
This particular memory address is'nt even in your process address space, when a NOEXEC feature (SEGMEXEC or PAGEXEC) is enabled it will deny execution at this address because it is not marked as executable.
If you disable NOEXEC, then kernel will SIGSEGV your program because it tries to execute an address not belonging to your program address space.

The problem is that your program counter jumps somewhere it should'nt, it's probably a bug in your application. To be sure, try to run with a PaX disabled kernel. (Remove Address space protection from grsecurity)
Julien TINNES
 
Posts: 4
Joined: Tue Sep 09, 2003 7:47 pm

Postby Martinez » Wed Sep 10, 2003 10:09 am

Ok.
Testing on PaX disabled kernel isn't now possible, because I'm working remotely on servers console.

I've change MTA to postfix, and I've got this message still apears in my logfile. But another line is showing also:
Sep 10 16:03:32 ns kernel: grsec: From $IP: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by (master:23340) UID(0) EUID(0), parent (init:1) UID(0) EUID(0)

Something wrong in my kernel configuration?

Maybe a patch for sendmail/postfix?

TIA.
Martinez
 
Posts: 6
Joined: Mon Sep 09, 2002 6:12 pm

Re: Sendmail + SASL + PaX trouble

Postby PaX Team » Sat Sep 13, 2003 11:56 am

Martinez wrote:I'm trying to setup a MTA with AUTH and SSL (Sendmail + SASL + OpenSSL). There is no problem in compile-time, but when running sendmail -L sm-mta [...] I've got an PaX error:
Sep 9 09:59:52 ns kernel: PAX: From $IP: terminating task: /usr/sbin/sendmail(sendmail):15132, uid/euid: 0/0, PC: 00000019, SP: 5fb4a2b0
Sep 9 09:59:52 ns kernel: PAX: bytes at PC: <invalid address>.
this looks like a 'normal' application bug (probably NULL pointer dereference), i should probably modify SEGMEXEC a bit so that this kind of error is reported as a SIGSEGV. as for fixing it, you should report it to the SASL guys probably (or debug it yourself if you have the time).

as for the RLIMIT_CORE message, you will get it when an application crashes but you have set the core file limit to 0, increase it via ulimit -c and you will get your core file which you can debug (and yes, this is still an application bug which might be triggered by some grsec restrictions though, maybe post your .config here).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby Martinez » Fri Sep 26, 2003 10:44 am

Hi again.
My actual .config looks like this:

root@ns:/usr/src/linux# cat .config |grep CONFIG_GRKERNSEC
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y
# CONFIG_GRKERNSEC_PAX_NOEXEC is not set
# CONFIG_GRKERNSEC_PAX_ASLR is not set
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_IO is not set
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
# CONFIG_GRKERNSEC_HIDESYM is not set
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=100
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
# CONFIG_GRKERNSEC_EXECVE is not set
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
# CONFIG_GRKERNSEC_SOCKET is not set
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_FLOODTIME=30
CONFIG_GRKERNSEC_FLOODBURST=5


I don't send all of it, because he's huge ;)

Well... I notted another app, that make the same thing: apache (2.0.47).
It looks, like this settings have influence for daemons, which are changing UIDs, or so...

I have disabled PaX, and earlier message doesn't appears in log, byt my apps are reporting a SIGSEGV error. I could send a core file, for debug (I have no knowleg about how to debug and fix such errors).

If any one have some time and could help me, pleas contact me at my e-mail address: martinez@czluchow.CUT_THIS_PART_WITH_DOT.eu.org

Thanks.
Martinez
 
Posts: 6
Joined: Mon Sep 09, 2002 6:12 pm


Return to grsecurity support