[tech] Grsec
Matt Johnston
matt at ucc.asn.au
Mon Dec 8 21:30:48 WST 2003
On Sun, Dec 07, 2003 at 11:51:46AM +0800, Paul Marinceu wrote:
>
> Also, the side effects can be very obscure and hard to pinpoint. Another
> thing to add to someone who's developing experimental/pre-release code
> that's buggy anyway.
>
> I guess grsec can be configured to be less restrictive...but will this
> work. Maybe next week, I'll find something else that breaks. Also,
> lowering the security goes against the whole point of having grsec...
I've poked a bit more (thanks to Bernard too), and it seems that the
issues with most software can be fixed with a
chpax -s executablename
(-s disables non-executable pages). Valgrind pokes a bit more at program
internals, so requires
chpax -rs progtorun
before running Valgrind on progtorun. chpax -xperms should disable all of
the things which might cause issues - these are all logged at the bottom of
dmesg.
Lines in dmesg such as:
grsec: From 130.95.105.96: attempted resource overstep by requesting 4096
for RLIMIT_CORE against limit 0 by (die:18960) UID(11154) EUID(11154),
parent (zsh:1368) UID(11154) EUID(11154)
are simply logging that a core dump would have happened (the program
segfaulted) but was limited, probably by the shell. If you want the dump,
"ulimit -c unlimited" will unlimit it.
Cheers,
Matt
More information about the tech
mailing list