[grsec] Solved - DAC permissions, signal 11, limit 0, NX and xterms
John Logsdon
j.logsdon at quantex-research.com
Tue May 31 07:06:13 EDT 2005
In the end, it wasn't a grsec problem but grsec was useful in pointing the
finger.
The solution turned out to be that as part of my hand-hardening procedure,
I had inadvertently (well that's the polite way of saying it) changed
/etc/termcap from 0644 to 0640 so it couldn't get any resources. strace
showed this easily when I also realised that it worked OK in root but I
was using NX to log into a regular account first!
Say no more - sorry to bother the list!
Best wishes
John
John Logsdon "Try to make things as simple
Quantex Research Ltd, Manchester UK as possible but not simpler"
j.logsdon at quantex-research.com a.einstein at relativity.org
+44(0)161 445 4951/G:+44(0)7717758675 www.quantex-research.com
---------- Forwarded message ----------
Date: Tue, 31 May 2005 06:27:00 +0100 (GMT)
From: John Logsdon <j.logsdon at quantex-research.com>
To: grsecurity at grsecurity.net
Subject: DAC permissions, signal 11, limit 0, NX and xterms
I have a recurrent problem that only occurs when trying to fire up an
xterm client on a client system from NX (www.nomachine.com). I keep
getting:
May 30 20:21:10 unix kernel: grsec: From 217.155.43.225: signal 11 sent to
/usr/bin/xterm[xterm:16707] uid/euid:500/500 gid/egid:500/500, parent
/sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
which is a seg fault.
I did previously have (following the above message - a different test
time):
May 30 20:10:49 unix kernel: grsec: From 217.155.43.225: denied resource
overstep by requesting 4096 for RLIMIT_CORE against limit 0 for
/usr/bin/xterm[xterm:21660] uid/euid:500/500 gid/egid:500/500, parent
/sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
as well but I paxctl'd that out. The limit 0 shows that somewhere
/usr/bin/xterm is not being allowed any resources at all when initiated
from NX. I can recreate the message pair by paxctl -PS /usr/bin/xterm.
I can ssh into the box with no difficulty and I can also issue an xterm
directly from a shell and it throws up a new xterm for me.
The kernel is 2.6.11.7-grsec on CentOS4 but grsec is not enabled.
I have been tightening some DAC permissions which I think is the cause but
I can't see which permission is the culprit. Unfortunately it is not
possible to strace within NX either from the client GUI or within the
server itself.
Any idea where this may have come from?
TIA
John
John Logsdon "Try to make things as simple
Quantex Research Ltd, Manchester UK as possible but not simpler"
j.logsdon at quantex-research.com a.einstein at relativity.org
+44(0)161 445 4951/G:+44(0)7717758675 www.quantex-research.com
More information about the grsecurity
mailing list