2.4.18 grsec 1.9.4 and apache 1.3.24

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

2.4.18 grsec 1.9.4 and apache 1.3.24

Postby Ego^pFe » Tue May 07, 2002 7:23 am

:oops:
Correct apache installation, linux slackware 8 running 2.4.18

when I start it with a normal kernel all goes well.
when I start it with grsec kernel with no acl and Openwall here the problem :

root@norad:~# strace -v -o log.txt /usr/local/apache/bin/apachectl start
ptrace: umoven: Input/output error
ptrace: umoven: Input/output error
/usr/local/apache/bin/apachectl: line 184: 9212 Segmentation fault $HTTPD
/usr/local/apache/bin/apachectl start: httpd could not be started

from the log file:

execve("/usr/local/apache/bin/apachectl", ["/usr/local/apache/bin/apachectl", "start"], [/* 36 vars */]) = 0
brk(0) = 0x80c96f0
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 4
fstat64(0x4, 0xbfffec24) = 0
old_mmap(NULL, 65027, PROT_READ, MAP_PRIVATE, 4, 0) = 0x125000
close(4) = 0
open("/lib/libtermcap.so.2", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\v\0"..., 1024) = 1024
fstat64(0x4, 0xbfffec74) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x135000
old_mmap(NULL, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x136000
mprotect(0x139000, 1512, PROT_NONE) = 0
old_mmap(0x139000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x2000) = 0x139000
close(4) = 0
open("/lib/libdl.so.2", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0$\34\0\000"..., 1024) = 1024
fstat64(0x4, 0xbfffec64) = 0
old_mmap(NULL, 12176, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x13a000
mprotect(0x13c000, 3984, PROT_NONE) = 0
old_mmap(0x13c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x1000) = 0x13c000
close(4) = 0
open("/lib/libc.so.6", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\30\330"..., 1024) = 1024
fstat64(0x4, 0xbfffec54) = 0
old_mmap(NULL, 1183680, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x13d000
mprotect(0x254000, 40896, PROT_NONE) = 0
old_mmap(0x254000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x116000) = 0x254000
old_mmap(0x25a000, 16320, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x25a000
close(4) = 0
munmap(0x125000, 65027) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
open("/dev/tty", O_RDWR|O_NONBLOCK|0x8000) = 4
close(4) = 0
brk(0) = 0x80c96f0
brk(0x80ca000) = 0x80ca000
brk(0x80cb000) = 0x80cb000
SYS_199(0x259058, 0, 0x259d80, 0x256e50, 0xbffff8d4) = 0
ipc_subcall(0x259058, 0, 0x259d80, 0x256e50) = 0
semop(2461784, 0x256e50, 0) = 0
semget(2461784, 0, IPC_EXCL|IPC_NOWAIT|0x259180|0600) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
time(NULL) = 1020773934
brk(0x80cc000) = 0x80cc000
open("/etc/mtab", O_RDONLY) = 4
fstat64(0x4, 0xbfffcfdc) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x125000
read(4, "/dev/hda2 / ext3 rw 0 0\nnone /de"..., 4096) = 90
close(4) = 0
munmap(0x125000, 4096) = 0
open("/proc/meminfo", O_RDONLY) = 4
fstat64(0x4, 0xbfffd44c) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x125000
read(4, " total: used: free:"..., 4096) = 522
close(4) = 0
munmap(0x125000, 4096) = 0
brk(0x80cd000) = 0x80cd000
rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0
uname({sysname="Linux", nodename="norad", release="2.4.18-grsec-1.9.4", version="#3 Wed Apr 3 11:39:26 CEST 2002", machine="i686"}) = 0
brk(0x80ce000) = 0x80ce000
brk(0x80cf000) = 0x80cf000
stat64(0x80ca16c, 0xbffff64c) = 0
stat64(0x80ac74a, 0xbffff5ec) = 0
getpid() = 9215
getppid() = 9214
getpgrp() = 9214
rt_sigaction(SIGCHLD, {0x806f99c, [], 0x4000000}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
open("/usr/local/apache/bin/apachectl", O_RDONLY|0x8000) = 4
ioctl(4, TCGETS, 0xbffff6b8) = -1 ENOTTY (Inappropriate ioctl for device)
_llseek(4, 0, [0], SEEK_CUR) = 0
read(4, "#!/bin/sh\n#\n# Apache control scr"..., 80) = 80
_llseek(4, 0, [0], SEEK_SET) = 0
getrlimit(0x7, 0xbffff714, 0, 0x4, 0x7) = 0
dup2(4, 255) = 255
close(4) = 0
shmat(255, 0, 0x2) = ?
shmat(255, 0x12490c, 0x3) = ?
fstat64(0xff, 0xbffff78c) = 0
_llseek(255, 0, [0], SEEK_CUR) = 0
brk(0x80d1000) = 0x80d1000
brk(0x80d2000) = 0x80d2000
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
read(255, "#!/bin/sh\n#\n# Apache control scr"..., 7412) = 7412
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
brk(0x80d3000) = 0x80d3000
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
brk(0x80d4000) = 0x80d4000
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
brk(0x80d5000) = 0x80d5000
brk(0x80d6000) = 0x80d6000
brk(0x80d7000) = 0x80d7000
brk(0x80d8000) = 0x80d8000
brk(0x80d9000) = 0x80d9000
brk(0x80da000) = 0x80da000
brk(0x80db000) = 0x80db000
brk(0x80dc000) = 0x80dc000
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
stat64(0x80d6a8c, 0xbffff2fc) = -1 ENOENT (No such file or directory)
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
_llseek(255, -2847, [4565], SEEK_CUR) = 0
fork() = 9216
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {0x806ec28, [], 0x4000000}, {SIG_DFL}, 8) = 0
wait4(-1, [WIFSIGNALED(s) && WTERMSIG(s) == SIGSEGV], 0, NULL) = 9216
rt_sigprocmask(SIG_BLOCK, [CHLD TTOU], [CHLD], 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [CHLD TTOU], 8) = 0
uname({sysname="Linux", nodename="norad", release="2.4.18-grsec-1.9.4", version="#3 Wed Apr 3 11:39:26 CEST 2002", machine="i686"}) = 0
write(2, "/usr/local/apache/bin/apachectl:"..., 80) = 80
rt_sigprocmask(SIG_SETMASK, [CHLD TTOU], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [CHLD], 8) = 0
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) ---
wait4(-1, 0xbfffef88, WNOHANG, NULL) = -1 ECHILD (No child processes)
sigreturn() = ? (mask now [])
rt_sigaction(SIGINT, {SIG_DFL}, {0x806ec28, [], 0x4000000}, 8) = 0
write(1, "/usr/local/apache/bin/apachectl "..., 66) = 66
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD TTOU], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
read(255, "\nexit $ERROR\n\n## ==============="..., 7412) = 2847
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD TTOU], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
_exit(3) = ?
:o [/code]
Ego^pFe
 
Posts: 7
Joined: Wed Mar 06, 2002 12:58 pm

Re: 2.4.18 grsec 1.9.4 and apache 1.3.24

Postby mwimer » Tue May 07, 2002 12:22 pm

Try "gradm -R" before starting up apache... and call me in the morning.
mwimer
 
Posts: 13
Joined: Mon Mar 04, 2002 1:54 pm

Re: 2.4.18 grsec 1.9.4 and apache 1.3.24

Postby _nms » Sun Sep 15, 2002 3:40 am

In a fresh installation of Debian, I have run into the same problem as mentioned above. I tried 'gradm -R' without any noticeable change, and I even tried to set all (grsecurity related) sysctls to 0.

I really like the features provided by grsecurity, but since the system is going into commercial use in the near future I do not have much time to spend on troubleshooting. If anyone could quickly explain the problem and give me a possible solution I'd be very happy, otherwise I'll have to do without grsecurity.

Regards,
Martin Lindquist
_nms
 
Posts: 3
Joined: Sun Sep 15, 2002 3:25 am

Postby spender » Sun Sep 15, 2002 12:27 pm

what version of grsecurity are you using? what options do you have enabled? Can you pin it down to any specific option? I'm using debian as well with grsecurity with all options enabled and have no problem.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby _nms » Mon Sep 16, 2002 11:24 am

This is the version information of the related software:
Linux gw 2.4.19-grsec #1 SMP Sun Sep 15 07:36:28 CEST 2002 i686 unknown
Server version: Apache/1.3.26 (Unix) Debian GNU/Linux
grsecurity-1.9.6-2.4.19.patch.gz

I have enabled pretty much everything related to grsecurity in the kernel. These are the exceptions (disabled options):
PaX protection
ACL Debugging Messages
Denied capability logging
Trusted path execution
Socket restrictions

"Proc restrictions" is set to "Restrict to user only" with "Additional restrictions" and "Remove mem and maps support" both enabled.

What confuses me is that even if I set all grsecurity sysctls to 0 Apache still fails to start. I'm starting to think there's something else wrong with the kernel, but Apache worked fine before I applied the grsecurity patch, and no other changes have been made to the system.

Regards,
Martin Lindquist
_nms
 
Posts: 3
Joined: Sun Sep 15, 2002 3:25 am

Postby _nms » Mon Sep 16, 2002 11:34 am

I withdraw my request for help.

I just found out that a "highly skilled" fellow admin had altered /etc/{host.conf,hosts}, causing hostname lookup problems for Apache. Both the admin in question and Apache failed to inform me about this.

In no way was grsecurity responsible for the problems caused, and I applologize for any inconvenience I may have caused the readers of this forum.

Regards,
Martin Lindquist
_nms
 
Posts: 3
Joined: Sun Sep 15, 2002 3:25 am

Postby spender » Tue Sep 17, 2002 1:49 pm

no problem. At least I know now. We're only waiting for someone to get back with us on one more bug, and then I can release 1.9.7 finally :)

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support

cron