[gentoo-hardened] 'paxctl -m bin' everything that complains?

[gentoo-hardened] 'paxctl -m bin' everything that complains?

[Grant]

I'm getting a lot of messages like this in dmesg:

"denied resource overstep by requesting 4096 for RLIMIT_CORE"

Should I 'paxctl -m bin' all of these even if they seem to function OK anyway?

- Grant

Re: [gentoo-hardened] 'paxctl -m bin' everything that complains?

[RB]

On Thu, Jan 22, 2009 at 12:06, Grant <emailgrant@gmail.com> wrote:
> I'm getting a lot of messages like this in dmesg:
>
> "denied resource overstep by requesting 4096 for RLIMIT_CORE"
>
> Should I 'paxctl -m bin' all of these even if they seem to function OK anyway?

You're barking up the wrong tree.  Applications are trying to coredump
(or prepare for one), and your default size limit for that (0) is
lower than what they're trying to allocate.  You're seeing those
specific logs because you have CONFIG_GRKERNSEC_RESLOG on, but it
would be happening whether or not you were running -hardened.

Check out 'ulimit -a' or search for 'ulimit' in bash(1).

Re: [gentoo-hardened] 'paxctl -m bin' everything that complains?

[Grant]

>> I'm getting a lot of messages like this in dmesg:
>>
>> "denied resource overstep by requesting 4096 for RLIMIT_CORE"
>>
>> Should I 'paxctl -m bin' all of these even if they seem to function OK anyway?
>
> You're barking up the wrong tree.  Applications are trying to coredump
> (or prepare for one), and your default size limit for that (0) is
> lower than what they're trying to allocate.  You're seeing those
> specific logs because you have CONFIG_GRKERNSEC_RESLOG on, but it
> would be happening whether or not you were running -hardened.
>
> Check out 'ulimit -a' or search for 'ulimit' in bash(1).

Got it, thank you.

- Grant

Re: [gentoo-hardened] 'paxctl -m bin' everything that complains?

[Grant]

>> I'm getting a lot of messages like this in dmesg:
>>
>> "denied resource overstep by requesting 4096 for RLIMIT_CORE"
>>
>> Should I 'paxctl -m bin' all of these even if they seem to function OK anyway?
>
> You're barking up the wrong tree.  Applications are trying to coredump
> (or prepare for one), and your default size limit for that (0) is
> lower than what they're trying to allocate.  You're seeing those
> specific logs because you have CONFIG_GRKERNSEC_RESLOG on, but it
> would be happening whether or not you were running -hardened.
>
> Check out 'ulimit -a' or search for 'ulimit' in bash(1).

I read about ulimit and I'm wondering if I need to worry about
increasing that coredump size from zero.  Can I just ignore those
grsec messages without causing a problem?

- Grant

Re: [gentoo-hardened] 'paxctl -m bin' everything that complains?

[RB]

On Thu, Jan 22, 2009 at 14:01, Grant <emailgrant@gmail.com> wrote:
>> Check out 'ulimit -a' or search for 'ulimit' in bash(1).
>
> I read about ulimit and I'm wondering if I need to worry about
> increasing that coredump size from zero.  Can I just ignore those
> grsec messages without causing a problem?

Allowing core dumps will enable failed applications to dump a copy of
their memory to disk; generally this only causes issues if you're
disk-space sensitive.  It can also be an issue for applications that
hold sensitive data (like passwords) in-memory.

If you can, yes - just ignore the RLIMIT_CORE ones.  You probably want
to find out why applications are trying to dump, but the messages are
a symptom rather than the cause.

Re: [gentoo-hardened] 'paxctl -m bin' everything that complains?

[Grant]

>>> Check out 'ulimit -a' or search for 'ulimit' in bash(1).
>>
>> I read about ulimit and I'm wondering if I need to worry about
>> increasing that coredump size from zero.  Can I just ignore those
>> grsec messages without causing a problem?
>
> Allowing core dumps will enable failed applications to dump a copy of
> their memory to disk; generally this only causes issues if you're
> disk-space sensitive.  It can also be an issue for applications that
> hold sensitive data (like passwords) in-memory.
>
> If you can, yes - just ignore the RLIMIT_CORE ones.  You probably want
> to find out why applications are trying to dump, but the messages are
> a symptom rather than the cause.

It turns out I need to issue 'paxctl -m
/usr/lib64/mozilla-firefox/firefox' to prevent firefox from crashing
when watching a cnn.com video.  Is that a huge security issue?

- Grant

Re: [gentoo-hardened] 'paxctl -m bin' everything that complains?

[RB]

On Thu, Jan 22, 2009 at 20:07, Grant <emailgrant@gmail.com> wrote:
> It turns out I need to issue 'paxctl -m
> /usr/lib64/mozilla-firefox/firefox' to prevent firefox from crashing
> when watching a cnn.com video.  Is that a huge security issue?

That's up to you.  In running X and firefox, you've probably made
enough compromises that one more isn't going to make that much more of
a difference.  That said, execution protections (like MPROTECT) are
probably some of the more critical ones you're going to have, due to
the way most malware works, and turning them off on a browser is
probably unwise.

Security is always a balance of control & usability, choose yours and
live with it.