[grsec] Fwd: Re: Bug#336461: debhelper: dh_fixperms - xargs: chown: Argument list too long

Bernd Zeimetz bernd at bzed.de
Tue Nov 8 13:04:29 EST 2005 

Hi,

is this a supposed behaviour in grsec? And if yes, is it possible to make  
(getconf ARG_MAX)-(printenv | wc -m) a reliable number again?

Please let me know if you need more info,

thanks,

Bernd

----------  Forwarded Message  ----------

Subject: Re: Bug#336461: debhelper: dh_fixperms - xargs: chown: Argument list 
too long
Date: Saturday 05 November 2005 16:01
From: Andreas Metzler <ametzler at downhill.at.eu.org>
To: Bernd Zeimetz <bernd at zeimetz.de>, 336461 at bugs.debian.org

On 2005-10-30 Bernd Zeimetz <bernd at zeimetz.de> wrote:
> > Is this repeatable? i.e. could you show me something like
> > 1 do this
> > 2 do that
> > 3 same error occurs everytime
>
> sure.

[...]

>     dh_fixperms
> xargs: chown: Argument list too long
> dh_fixperms: command returned error code
>
> Aborted (dh_fixperms).

[...]

> bzed at one:/tmp$ uname -a
> Linux one 2.6.11.12-grsec #1 Sun Oct 30 01:40:25 CEST 2005 x86_64 GNU/Linux

[...]

Hello,
I suspect grsec to somehow be at fault.

I've built a small ugly program testexec which invokes
/bin/true (number given to testexec as argument) times 0
i.e.
testexec 5
invokes
/bin/true 00000

On both my system and pergolesi (Debian's AMD64 machine) it is easy to
find a number n so that
testexec n
succeeds and
testexec n+1
*reproducibly* fails with E2BIG. And n is approximately[1]
(getconf ARG_MAX)-sizeofenvironment-(strlen(/bin/true)+1)-15

<quote>
ametzler at pergolesi:~$ for i in `seq -w 1 1000` ;do ./testexec 130654 || break
 ;d one ; echo $i
1000
ametzler at pergolesi:~$ for i in `seq -w 1 1000` ;do ./testexec 130655 || break
 ;d one ; echo $i
Argument list too long
0001
ametzler at pergolesi:~$ echo $((`getconf ARG_MAX`-`printenv | wc -m`))
130676
<unquote>

This looks quite similar on my own system. However "one", your system,
which is using grsec behaves erratically:
<quote>
ametzler at one:~$ echo $((`getconf ARG_MAX`-`printenv | wc -m`))
129968
ametzler at one:~$ for i in `seq -w 1 1000` ;do ./testexec 125860 || break ;done
 ; echo $i Argument list too long
0350
ametzler at one:~$ for i in `seq -w 1 1000` ;do ./testexec 125860 || break ;done
 ; echo $i Argument list too long
0302
ametzler at one:~$ for i in `seq -w 1 1000` ;do ./testexec 125860 || break ;done
 ; echo $i Argument list too long
0710
<unquote>

Please note two things:
* There is a huge gap of more than 4KB between
  (getconf ARG_MAX)-(printenv | wc -m) (equals 129968) and the really
  usable number of arguments (about 125860).

* The behavior is erratic. The same command-line with identical
  environment will fail sometimes and sometimes not.

            cu andreas

[1] The "-15" varies, I guess because the basic execution modifies the
environment.
--
The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal
vision of the emperor's, and its inclusion in this work does not constitute
tacit approval by the author or the publisher for any such projects,
howsoever undertaken.                                (c) Jasper Ffforde

-------------------------------------------------------

More information about the grsecurity mailing list