From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/1578
Path: news.gmane.org!not-for-mail
From: Vincent Danen <vdanen@linsec.ca>
Newsgroups: gmane.comp.sysutils.supervision.general
Subject: Re: problem with chpst and memory locking
Date: Fri, 21 Dec 2007 19:34:59 -0700
Message-ID: <20071222023459.GD394@linsec.ca>
References: <20071222015848.GC394@linsec.ca>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature"; boundary="6Nae48J/T25AfBN4"
X-Trace: ger.gmane.org 1198291011 11802 80.91.229.12 (22 Dec 2007 02:36:51 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sat, 22 Dec 2007 02:36:51 +0000 (UTC)
To: supervision@list.skarnet.org
Original-X-From: supervision-return-1813-gcsg-supervision=m.gmane.org@list.skarnet.org Sat Dec 22 03:37:03 2007
Return-path: <supervision-return-1813-gcsg-supervision=m.gmane.org@list.skarnet.org>
Envelope-to: gcsg-supervision@gmane.org
Original-Received: from antah.skarnet.org ([212.85.147.14])
	by lo.gmane.org with smtp (Exim 4.50)
	id 1J5uEY-00075w-Se
	for gcsg-supervision@gmane.org; Sat, 22 Dec 2007 03:37:02 +0100
Original-Received: (qmail 8549 invoked by uid 76); 22 Dec 2007 02:36:51 -0000
Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm
List-Post: <mailto:supervision@list.skarnet.org>
List-Help: <mailto:supervision-help@list.skarnet.org>
List-Unsubscribe: <mailto:supervision-unsubscribe@list.skarnet.org>
List-Subscribe: <mailto:supervision-subscribe@list.skarnet.org>
List-Archive: <http://www.skarnet.org/lists/>
Original-Received: (qmail 8544 invoked from network); 22 Dec 2007 02:36:51 -0000
X-URL: http://linsec.ca/
In-reply-to: <20071222015848.GC394@linsec.ca>
Content-disposition: inline
X-PGP-Key: http://linsec.ca/vdanen.asc
X-PGP-Key-ID: 0xFEE30AD4
X-PGP-Key-Fingerprint: 7F6C A60C 06C2 4811 FA1C  A2BC 2EBC 5E32 FEE3 0AD4
X-Delivery-Agent: TMDA/1.1.10 (Killyloch)
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: vdanen@linsec.ca
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on hades.annvix.ca
X-SA-Exim-Version: 4.2.1 (built Tue, 18 Dec 2007 12:19:09 -0700)
X-SA-Exim-Scanned: Yes (on hades.annvix.org)
User-Agent: Mutt/1.5.17 (2007-11-01)
X-Spam-Status: No, score=-2.6 required=6.0 tests=BAYES_00 autolearn=ham
	version=3.2.3
X-Spam-Level: 
Xref: news.gmane.org gmane.comp.sysutils.supervision.general:1578
Archived-At: <http://permalink.gmane.org/gmane.comp.sysutils.supervision.general/1578>


--6Nae48J/T25AfBN4
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Vincent Danen <vdanen@linsec.ca> [2007-12-21 18:58:48 -0700]:

[...]
> That memory setting should be well under the established limits.  An
> strace shows me:
>
> [root@artemis log]# strace chpst -m 100000 -u vdanen /bin/sh
> execve("/sbin/chpst", ["chpst", "-m", "100000", "-u", "vdanen", "/bin/sh"=
], [/* 41 vars */]) =3D 0
> open("/dev/urandom", O_RDONLY)          =3D 3
> read(3, "\216\266\246\243\vp\245\242", 8) =3D 8
> close(3)                                =3D 0
> open("/etc/passwd", O_RDONLY)           =3D 3
> lseek(3, 0, SEEK_END)                   =3D 1486
> mmap(NULL, 1486, PROT_READ, MAP_PRIVATE, 3, 0) =3D 0x2b5440b0a000
> close(3)                                =3D 0
> munmap(0x2b5440b0a000, 1486)            =3D 0
> setgroups(1, [1001])                    =3D 0
> setgid(1001)                            =3D 0
> setuid(1001)                            =3D 0
> getrlimit(RLIMIT_DATA, {rlim_cur=3D12288*1024, rlim_max=3DRLIM_INFINITY})=
 =3D 0
> setrlimit(RLIMIT_DATA, {rlim_cur=3D100000, rlim_max=3DRLIM_INFINITY}) =3D=
 0
> getrlimit(RLIMIT_STACK, {rlim_cur=3D8192*1024, rlim_max=3DRLIM_INFINITY})=
 =3D 0
> setrlimit(RLIMIT_STACK, {rlim_cur=3D100000, rlim_max=3DRLIM_INFINITY}) =
=3D 0
> getrlimit(RLIMIT_MEMLOCK, {rlim_cur=3D32*1024, rlim_max=3D32*1024}) =3D 0
> setrlimit(RLIMIT_MEMLOCK, {rlim_cur=3D32*1024, rlim_max=3D32*1024}) =3D 0
> getrlimit(RLIMIT_AS, {rlim_cur=3DRLIM_INFINITY, rlim_max=3DRLIM_INFINITY}=
) =3D 0
> setrlimit(RLIMIT_AS, {rlim_cur=3D100000, rlim_max=3DRLIM_INFINITY}) =3D 0
> execve("/bin/sh", ["/bin/sh"], [/* 41 vars */]) =3D -1 ENOMEM (Cannot all=
ocate memory)
> +++ killed by SIGKILL +++
>
>
> Does anyone know why this is happening?  If I'm recalling correctly, I
> think dietlibc or a change in dietlibc was the culprit before, but I
> can't remember.
>
> Removing the memory restrictions to the chpst calls works well enough,
> but it would be nice to be able to use them since they are there.

/me feels stupid

The problem is bash has been updated and apparently requires more
memory.  Time to replace those scripts with execline-based ones I think.

Sorry for the noise.

--=20
Vincent Danen @ http://linsec.ca/

--6Nae48J/T25AfBN4
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkdsd9MACgkQLrxeMv7jCtRg/gCfSDsHoPqHe1B2Rds0SKptAXv7
15YAn1BzG3bLvhSzMbEuL1yeO+xZXxTd
=m+OL
-----END PGP SIGNATURE-----

--6Nae48J/T25AfBN4--