[grsec] DAC permissions, signal 11, limit 0, NX and xterms

[John Logsdon]

I have a recurrent problem that only occurs when trying to fire up an
xterm client on a client system from NX (www.nomachine.com).  I keep
getting:

May 30 20:21:10 unix kernel: grsec: From 217.155.43.225: signal 11 sent to
/usr/bin/xterm[xterm:16707] uid/euid:500/500 gid/egid:500/500, parent
/sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

which is a seg fault.

I did previously have (following the above message - a different test
time):

May 30 20:10:49 unix kernel: grsec: From 217.155.43.225: denied resource
overstep by requesting 4096 for RLIMIT_CORE against limit 0 for
/usr/bin/xterm[xterm:21660] uid/euid:500/500 gid/egid:500/500, parent
/sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

as well but I paxctl'd that out.  The limit 0 shows that somewhere
/usr/bin/xterm is not being allowed any resources at all when initiated
from NX.  I can recreate the message pair by paxctl -PS /usr/bin/xterm.

I can ssh into the box with no difficulty and I can also issue an xterm
directly from a shell and it throws up a new xterm for me.

The kernel is 2.6.11.7-grsec on CentOS4 but grsec is not enabled.

I have been tightening some DAC permissions which I think is the cause but
I can't see which permission is the culprit.  Unfortunately it is not
possible to strace within NX either from the client GUI or within the
server itself.

Any idea where this may have come from?

TIA

John

John Logsdon                               "Try to make things as simple
Quantex Research Ltd, Manchester UK         as possible but not simpler"
j.logsdon at quantex-research.com              a.einstein at relativity.org
+44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com