Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
nginx worker crashes, grsec denial
john at johntate
Oct 23, 2014, 6:27 AM
Post #1 of 4 (2452 views)
Permalink
I have a Xen guest which is having problems with nginx and grsec.
Worker processes for nginx fail when HTTP requests are made.

Each request leaves messages much like these:
[ 800.424417] nginx[7540]: segfault at 8 ip 00000c513b8ba644 sp
00007138a2675300 error 4 in nginx[c513b882000+f0000]
[ 800.424428] grsec: From 202.76.166.249: Segmentation fault occurred
at 0000000000000008 in /usr/sbin/nginx[nginx:7540] uid/euid:102/102
gid/egid:247/247, parent /usr/sbin/nginx[nginx:7389] uid/euid:0/0
gid/egid:0/0
[ 800.424435] grsec: From 202.76.166.249: bruteforce prevention
initiated for the next 30 minutes or until service restarted, stalling
each fork 30 seconds. Please investigate the crash report for
/usr/sbin/nginx[nginx:7540] uid/euid:102/102 gid/egid:247/247, parent
/usr/sbin/nginx[nginx:7389] uid/euid:0/0 gid/egid:0/0
[ 800.424441] grsec: From 202.76.166.249: denied resource overstep by
requesting 4096 for RLIMIT_CORE against limit 0 for
/usr/sbin/nginx[nginx:7540] uid/euid:102/102 gid/egid:247/247, parent
/usr/sbin/nginx[nginx:7389] uid/euid:0/0 gid/egid:0/0

It would be great if someone could tell me what sysctl options or
kernel options I can change to fix this in the short term. It might
take me a while to understand the problem better and it would be good
to have the system running.

This system has changed recently from a VirtualBox guest to being a
Xen guest. So the kernel is built differently, I am using the
grsecurity defaults for a Xen guest with performance priorities. It
ran fine as a VirtualBox guest.

Let me know if you need more info.

--
www.johntate.org
Re: nginx worker crashes, grsec denial [ In reply to ]
john at johntate
Oct 23, 2014, 6:35 AM
Post #2 of 4 (2418 views)
Permalink
I just realized this error is because of the attempt to dump core. It
is not why nginx is crashing.

Sorry.

--
www.johntate.org
Re: Re: nginx worker crashes, grsec denial [ In reply to ]
basile at opensource
Oct 27, 2014, 5:19 AM
Post #3 of 4 (2406 views)
Permalink
On 10/23/14 09:35, John Tate wrote:
> I just realized this error is because of the attempt to dump core. It
> is not why nginx is crashing.
>
> Sorry.
>

"RLIMIT_CORE against limit 0" is just grsec telling you that nginx tried
to dump core bigger than size 0 bytes. You can use ulimit to get that
core if you like. But even if the kernel were killing it, this is a
problem in nginx. Most problem where the hardened kernel prevents stuff
from happening is an issue with the app itself. Convincing upstream to
fix their clever feature is the hard part. eg. JIT code in python and
libffi and cffi, etc.

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
Re: Re: nginx worker crashes, grsec denial [ In reply to ]
john at johntate
Nov 1, 2014, 9:42 AM
Post #4 of 4 (2378 views)
Permalink
On Mon, Oct 27, 2014 at 11:19 PM, Anthony G. Basile
<basile@opensource.dyc.edu> wrote:
> On 10/23/14 09:35, John Tate wrote:
>>
>> I just realized this error is because of the attempt to dump core. It
>> is not why nginx is crashing.
>>
>> Sorry.
>>
>
> "RLIMIT_CORE against limit 0" is just grsec telling you that nginx tried to
> dump core bigger than size 0 bytes. You can use ulimit to get that core if
> you like. But even if the kernel were killing it, this is a problem in
> nginx. Most problem where the hardened kernel prevents stuff from happening
> is an issue with the app itself. Convincing upstream to fix their clever
> feature is the hard part. eg. JIT code in python and libffi and cffi, etc.

Thanks, though I worked that out. I migrated the system from
VirtualBox to Xen and thought the only thing that had to be changed
was the kernel. It turns out that nginx itself needed to be rebuilt
for this system. I asked for help prematurely having assumed the
problem was out of my league.

>
> --
> Anthony G. Basile, Ph. D.
> Chair of Information Technology
> D'Youville College
> Buffalo, NY 14201
> (716) 829-8197
>



--
www.johntate.org

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal