From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1KjZ89-0005Od-LQ for garchives@archives.gentoo.org; Sat, 27 Sep 2008 12:42:37 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 16D88E04C2; Sat, 27 Sep 2008 12:42:37 +0000 (UTC) Received: from powerman.name (powerman.name [85.90.198.1]) by pigeon.gentoo.org (Postfix) with ESMTP id 65DB9E04C2 for ; Sat, 27 Sep 2008 12:42:36 +0000 (UTC) Received: (qmail 9143 invoked by uid 1000); 27 Sep 2008 12:42:33 -0000 Date: Sat, 27 Sep 2008 15:42:33 +0300 From: Alex Efros To: gentoo-hardened@lists.gentoo.org Subject: [gentoo-hardened] what RLIMIT_STACK mean? Message-ID: <20080927124233.GO26472@home.power> Mail-Followup-To: gentoo-hardened@lists.gentoo.org Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Organization: asdfGroup Inc., http://powerman.asdfGroup.com/ User-Agent: Mutt/1.5.16 (2007-06-09) X-Archives-Salt: 696dfcda-6b7b-415c-acf6-73a3c67f5b29 X-Archives-Hash: 2360e37ed7dfa0678cca942350731af7 Hi! Can you please explain to me what these records in my logs mean? 2008-09-27_11:35:55.93144 kern.alert: grsec: From 78.53.3.223: denied resource overstep by requesting 180883456 for RLIMIT_STACK against limit 8388608 for /bin/cat[cat:10111] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:21930] uid/euid:81/81 gid/egid:81/81 2008-09-27_12:08:17.12634 kern.alert: grsec: denied resource overstep by requesting 187367424 for RLIMIT_STACK against limit 8388608 for /var/qmail/bin/qmail-local[qmail-local:22538] uid/euid:1000/1000 gid/egid:100/100, parent /var/qmail/bin/qmail-local[qmail-local:22535] uid/euid:1000/1000 gid/egid:100/100 For example, first record may be result of malicious http request sent from 78.53.3.223 to my apache... but I've no idea why /bin/cat was called (I don't aware about cgi scripts on my server which will call /bin/cat) and what went wrong with it. I'm not sure how this guess is correct... Second is even more strange, because qmail-local was called by qmail-local, there no "From IP" part in this record, so it looks like some internal error on my server... but I never notice any troubles with qmail, mail works ok and there no error in qmail log. Actually, here are records from qmail log related to same time: 2008-09-27_12:08:17.07092 new msg 662104 2008-09-27_12:08:17.07093 info msg 662104: bytes 2912 from qp 22534 uid 201 2008-09-27_12:08:17.07403 starting delivery 5800: msg 662104 to local powerman@powerman.asdfgroup.com 2008-09-27_12:08:17.07404 status: local 1/10 remote 0/20 2008-09-27_12:08:17.14903 delivery 5800: success: did_1+0+0/did_0+0+2/ 2008-09-27_12:08:17.14905 status: local 0/10 remote 0/20 2008-09-27_12:08:17.14905 end msg 662104 As you see, it was incoming email from this maillist, which was delivered without issues... so it wasn't some malicious spam message which trying to crash my qmail. I've no idea why grsec complain in logs about it. I've a lot of such records - about 5 new records every hour in average. I've checked all combinations of "for /..., parent /...": # grep RLIMIT_STACK /var/log/kernel/all/{@*,current} | perl -pe 's/.* (for \/[^:]*).* (parent \/[^:]*).*/$1] $2]/' | sort | uniq -c 303 for /bin/bash[sh] parent /bin/bash[sh] 277 for /bin/cat[cat] parent /usr/sbin/apache2[apache2] 17 for /bin/su[su] parent /usr/bin/runsv[runsv] 1 for /[chpst] parent /bin/bash[sh] 1 for /[egrep] parent /bin/bash[sh] 1 for /[ifconfig] parent /bin/bash[sh] 8 for /[sh] parent /usr/sbin/crond[crond] 341 for /var/qmail/bin/qmail-local[qmail-local] parent /var/qmail/bin/qmail-local[qmail-local] -- WBR, Alex.