[gentoo-hardened] nginx worker crashes, grsec denial

[gentoo-hardened] nginx worker crashes, grsec denial

[John Tate]

I have a Xen guest which is having problems with nginx and grsec.
Worker processes for nginx fail when HTTP requests are made.

Each request leaves messages much like these:
[  800.424417] nginx[7540]: segfault at 8 ip 00000c513b8ba644 sp
00007138a2675300 error 4 in nginx[c513b882000+f0000]
[  800.424428] grsec: From 202.76.166.249: Segmentation fault occurred
at 0000000000000008 in /usr/sbin/nginx[nginx:7540] uid/euid:102/102
gid/egid:247/247, parent /usr/sbin/nginx[nginx:7389] uid/euid:0/0
gid/egid:0/0
[  800.424435] grsec: From 202.76.166.249: bruteforce prevention
initiated for the next 30 minutes or until service restarted, stalling
each fork 30 seconds.  Please investigate the crash report for
/usr/sbin/nginx[nginx:7540] uid/euid:102/102 gid/egid:247/247, parent
/usr/sbin/nginx[nginx:7389] uid/euid:0/0 gid/egid:0/0
[  800.424441] grsec: From 202.76.166.249: denied resource overstep by
requesting 4096 for RLIMIT_CORE against limit 0 for
/usr/sbin/nginx[nginx:7540] uid/euid:102/102 gid/egid:247/247, parent
/usr/sbin/nginx[nginx:7389] uid/euid:0/0 gid/egid:0/0

It would be great if someone could tell me what sysctl options or
kernel options I can change to fix this in the short term. It might
take me a while to understand the problem better and it would be good
to have the system running.

This system has changed recently from a VirtualBox guest to being a
Xen guest. So the kernel is built differently, I am using the
grsecurity defaults for a Xen guest with performance priorities. It
ran fine as a VirtualBox guest.

Let me know if you need more info.

-- 
www.johntate.org

[gentoo-hardened] Re: nginx worker crashes, grsec denial

[John Tate]

I just realized this error is because of the attempt to dump core. It
is not why nginx is crashing.

Sorry.

-- 
www.johntate.org

Re: [gentoo-hardened] Re: nginx worker crashes, grsec denial

[Anthony G. Basile]

On 10/23/14 09:35, John Tate wrote:
> I just realized this error is because of the attempt to dump core. It
> is not why nginx is crashing.
>
> Sorry.
>

"RLIMIT_CORE against limit 0" is just grsec telling you that nginx tried 
to dump core bigger than size 0 bytes.  You can use ulimit to get that 
core if you like.  But even if the kernel were killing it, this is a 
problem in nginx.  Most problem where the hardened kernel prevents stuff 
from happening is an issue with the app itself.  Convincing upstream to 
fix their clever feature is the hard part. eg. JIT code in python and 
libffi and cffi, etc.

-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

Re: [gentoo-hardened] Re: nginx worker crashes, grsec denial

[John Tate]

On Mon, Oct 27, 2014 at 11:19 PM, Anthony G. Basile
<basile@opensource.dyc.edu> wrote:
> On 10/23/14 09:35, John Tate wrote:
>>
>> I just realized this error is because of the attempt to dump core. It
>> is not why nginx is crashing.
>>
>> Sorry.
>>
>
> "RLIMIT_CORE against limit 0" is just grsec telling you that nginx tried to
> dump core bigger than size 0 bytes.  You can use ulimit to get that core if
> you like.  But even if the kernel were killing it, this is a problem in
> nginx.  Most problem where the hardened kernel prevents stuff from happening
> is an issue with the app itself.  Convincing upstream to fix their clever
> feature is the hard part. eg. JIT code in python and libffi and cffi, etc.

Thanks, though I worked that out. I migrated the system from
VirtualBox to Xen and thought the only thing that had to be changed
was the kernel. It turns out that nginx itself needed to be rebuilt
for this system. I asked for help prematurely having assumed the
problem was out of my league.

>
> --
> Anthony G. Basile, Ph. D.
> Chair of Information Technology
> D'Youville College
> Buffalo, NY 14201
> (716) 829-8197
>



-- 
www.johntate.org

[gentoo-hardened] gcc without fortran useflag and ekopath

[Giuseppe Scaglione]

Hi,

why -fortan in useflag (hardened profile)  and  consequent
dev-lang/ekopath dependency (gcc without fortran)?

gcc compiled with fortran support it's problematic?

Sorry for my question, i did not find documentation on this.

Re: [gentoo-hardened] gcc without fortran useflag and ekopath

[Anthony G. Basile]

On 11/04/14 15:54, Giuseppe Scaglione wrote:
> Hi,
>
> why -fortan in useflag (hardened profile)  and  consequent
> dev-lang/ekopath dependency (gcc without fortran)?
>
> gcc compiled with fortran support it's problematic?
>
> Sorry for my question, i did not find documentation on this.
>
>

Most people don't want fortran so we have it off.  It is not 
problematic.  Just add it to your global use flags and recompile gcc.

-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197