[gentoo-hardened] nginx worker crashes, grsec denial

public inbox for gentoo-hardened@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-hardened] nginx worker crashes, grsec denial
@ 2014-10-23 13:27 John Tate
  2014-10-23 13:35 ` [gentoo-hardened] " John Tate
  0 siblings, 1 reply; 6+ messages in thread
From: John Tate @ 2014-10-23 13:27 UTC (permalink / raw
  To: gentoo-hardened

I have a Xen guest which is having problems with nginx and grsec.
Worker processes for nginx fail when HTTP requests are made.

Each request leaves messages much like these:
[  800.424417] nginx[7540]: segfault at 8 ip 00000c513b8ba644 sp
00007138a2675300 error 4 in nginx[c513b882000+f0000]
[  800.424428] grsec: From 202.76.166.249: Segmentation fault occurred
at 0000000000000008 in /usr/sbin/nginx[nginx:7540] uid/euid:102/102
gid/egid:247/247, parent /usr/sbin/nginx[nginx:7389] uid/euid:0/0
gid/egid:0/0
[  800.424435] grsec: From 202.76.166.249: bruteforce prevention
initiated for the next 30 minutes or until service restarted, stalling
each fork 30 seconds.  Please investigate the crash report for
/usr/sbin/nginx[nginx:7540] uid/euid:102/102 gid/egid:247/247, parent
/usr/sbin/nginx[nginx:7389] uid/euid:0/0 gid/egid:0/0
[  800.424441] grsec: From 202.76.166.249: denied resource overstep by
requesting 4096 for RLIMIT_CORE against limit 0 for
/usr/sbin/nginx[nginx:7540] uid/euid:102/102 gid/egid:247/247, parent
/usr/sbin/nginx[nginx:7389] uid/euid:0/0 gid/egid:0/0

It would be great if someone could tell me what sysctl options or
kernel options I can change to fix this in the short term. It might
take me a while to understand the problem better and it would be good
to have the system running.

This system has changed recently from a VirtualBox guest to being a
Xen guest. So the kernel is built differently, I am using the
grsecurity defaults for a Xen guest with performance priorities. It
ran fine as a VirtualBox guest.

Let me know if you need more info.

-- 
www.johntate.org

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [gentoo-hardened] Re: nginx worker crashes, grsec denial
  2014-10-23 13:27 [gentoo-hardened] nginx worker crashes, grsec denial John Tate
@ 2014-10-23 13:35 ` John Tate
  2014-10-27 12:19   ` Anthony G. Basile
  0 siblings, 1 reply; 6+ messages in thread
From: John Tate @ 2014-10-23 13:35 UTC (permalink / raw
  To: gentoo-hardened

I just realized this error is because of the attempt to dump core. It
is not why nginx is crashing.

Sorry.

-- 
www.johntate.org


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-hardened] Re: nginx worker crashes, grsec denial
  2014-10-23 13:35 ` [gentoo-hardened] " John Tate
@ 2014-10-27 12:19   ` Anthony G. Basile
  2014-11-01 15:42     ` John Tate
  0 siblings, 1 reply; 6+ messages in thread
From: Anthony G. Basile @ 2014-10-27 12:19 UTC (permalink / raw
  To: gentoo-hardened

On 10/23/14 09:35, John Tate wrote:
> I just realized this error is because of the attempt to dump core. It
> is not why nginx is crashing.
>
> Sorry.
>

"RLIMIT_CORE against limit 0" is just grsec telling you that nginx tried 
to dump core bigger than size 0 bytes.  You can use ulimit to get that 
core if you like.  But even if the kernel were killing it, this is a 
problem in nginx.  Most problem where the hardened kernel prevents stuff 
from happening is an issue with the app itself.  Convincing upstream to 
fix their clever feature is the hard part. eg. JIT code in python and 
libffi and cffi, etc.

-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-hardened] Re: nginx worker crashes, grsec denial
  2014-10-27 12:19   ` Anthony G. Basile
@ 2014-11-01 15:42     ` John Tate
  2014-11-04 20:54       ` [gentoo-hardened] gcc without fortran useflag and ekopath Giuseppe Scaglione
  0 siblings, 1 reply; 6+ messages in thread
From: John Tate @ 2014-11-01 15:42 UTC (permalink / raw
  To: gentoo-hardened

On Mon, Oct 27, 2014 at 11:19 PM, Anthony G. Basile
<basile@opensource.dyc.edu> wrote:
> On 10/23/14 09:35, John Tate wrote:
>>
>> I just realized this error is because of the attempt to dump core. It
>> is not why nginx is crashing.
>>
>> Sorry.
>>
>
> "RLIMIT_CORE against limit 0" is just grsec telling you that nginx tried to
> dump core bigger than size 0 bytes.  You can use ulimit to get that core if
> you like.  But even if the kernel were killing it, this is a problem in
> nginx.  Most problem where the hardened kernel prevents stuff from happening
> is an issue with the app itself.  Convincing upstream to fix their clever
> feature is the hard part. eg. JIT code in python and libffi and cffi, etc.

Thanks, though I worked that out. I migrated the system from
VirtualBox to Xen and thought the only thing that had to be changed
was the kernel. It turns out that nginx itself needed to be rebuilt
for this system. I asked for help prematurely having assumed the
problem was out of my league.

>
> --
> Anthony G. Basile, Ph. D.
> Chair of Information Technology
> D'Youville College
> Buffalo, NY 14201
> (716) 829-8197
>



-- 
www.johntate.org


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [gentoo-hardened] gcc without fortran useflag and ekopath
  2014-11-01 15:42     ` John Tate
@ 2014-11-04 20:54       ` Giuseppe Scaglione
  2014-11-13  2:08         ` Anthony G. Basile
  0 siblings, 1 reply; 6+ messages in thread
From: Giuseppe Scaglione @ 2014-11-04 20:54 UTC (permalink / raw
  To: gentoo-hardened

Hi,

why -fortan in useflag (hardened profile)  and  consequent
dev-lang/ekopath dependency (gcc without fortran)?

gcc compiled with fortran support it's problematic?

Sorry for my question, i did not find documentation on this.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-hardened] gcc without fortran useflag and ekopath
  2014-11-04 20:54       ` [gentoo-hardened] gcc without fortran useflag and ekopath Giuseppe Scaglione
@ 2014-11-13  2:08         ` Anthony G. Basile
  0 siblings, 0 replies; 6+ messages in thread
From: Anthony G. Basile @ 2014-11-13  2:08 UTC (permalink / raw
  To: gentoo-hardened

On 11/04/14 15:54, Giuseppe Scaglione wrote:
> Hi,
>
> why -fortan in useflag (hardened profile)  and  consequent
> dev-lang/ekopath dependency (gcc without fortran)?
>
> gcc compiled with fortran support it's problematic?
>
> Sorry for my question, i did not find documentation on this.
>
>

Most people don't want fortran so we have it off.  It is not 
problematic.  Just add it to your global use flags and recompile gcc.

-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2014-11-13  2:06 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-23 13:27 [gentoo-hardened] nginx worker crashes, grsec denial John Tate
2014-10-23 13:35 ` [gentoo-hardened] " John Tate
2014-10-27 12:19   ` Anthony G. Basile
2014-11-01 15:42     ` John Tate
2014-11-04 20:54       ` [gentoo-hardened] gcc without fortran useflag and ekopath Giuseppe Scaglione
2014-11-13  2:08         ` Anthony G. Basile

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox