Description: After fighting some days with cyrus-imap now, I post this report. At the moment I have three mails in my mail queue which are displayes by 'mailq': server ~ # mailq -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- 072852BE53 443 Sun Apr 23 20:13:48 root@server.becker.homeip.net (Command died with signal 11: "/usr/lib64/cyrus/deliver") wartung@becker.homeip.net root@server.becker.homeip.net D17C955F3 1186 Mon Apr 24 07:55:29 root@desktop.int.becker.homeip.net (Command died with signal 11: "/usr/lib64/cyrus/deliver") wartung@becker.homeip.net E88AB3591C 748 Mon Apr 24 07:41:48 root@server.becker.homeip.net (Command died with signal 11: "/usr/lib64/cyrus/deliver") wartung@becker.homeip.net root@server.becker.homeip.net -- 3 Kbytes in 3 Requests. But cyrus cannot deliver them, due to a resource overstep. Even if I change with paxctl the memory settings to server ~ # paxctl -v /usr/lib64/cyrus/deliver PaX control v0.3 Copyright 2004,2005 PaX Team <pageexec@freemail.hu> - PaX flags: -p-s-m-x-e-r [/usr/lib64/cyrus/deliver] PAGEEXEC is disabled SEGMEXEC is disabled MPROTECT is disabled RANDEXEC is disabled EMUTRAMP is disabled RANDMMAP is disabled it doesn't work to handle the mails. I get the following output in /var/log/everything/current after doing a 'postfix flush': [postfix/qmgr] 072852BE53: from=<root@server.becker.homeip.net>, size=443, nrcpt=1 (queue active) Apr 24 08:39:26 [postfix/qmgr] D17C955F3: from=<root@desktop.int.becker.homeip.net>, size=1186, nrcpt=1 (queue active) Apr 24 08:39:26 [postfix/qmgr] E88AB3591C: from=<root@server.becker.homeip.net>, size=748, nrcpt=1 (queue active) Apr 24 08:39:26 [kernel] deliver[10949]: segfault at 0000000000000008 rip 00002b2ead2f14e6 rsp 000079c19ffc0800 error 4 Apr 24 08:39:26 [kernel] grsec: signal 11 sent to /usr/lib64/cyrus/deliver[deliver:10949] uid/euid:85/85 gid/egid:12/12, parent /usr/lib64/postfix/pipe[pipe:12988] uid/euid:0/207 gid /egid:0/207 Apr 24 08:39:26 [kernel] deliver[8906]: segfault at 0000000000000008 rip 00003772990b64e6 rsp 00007d1b85050f50 error 4 Apr 24 08:39:26 [kernel] grsec: signal 11 sent to /usr/lib64/cyrus/deliver[deliver:8906] uid/euid:85/85 gid/egid:12/12, parent /usr/lib64/postfix/pipe[pipe:23344] uid/euid:0/207 gid/ egid:0/207 Apr 24 08:39:26 [kernel] deliver[21427]: segfault at 0000000000000008 rip 00002b0d0d9134e6 rsp 000072a3ce5f93f0 error 4 Apr 24 08:39:26 [kernel] grsec: signal 11 sent to /usr/lib64/cyrus/deliver[deliver:21427] uid/euid:85/85 gid/egid:12/12, parent /usr/lib64/postfix/pipe[pipe:15637] uid/euid:0/207 gid /egid:0/207 Apr 24 08:39:26 [kernel] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/cyrus/deliver[deliver:10949] uid/euid:85/85 gid/egid:12/12, parent /usr/lib64/postfix/pipe[pipe:12988] uid/euid:0/207 gid/egid:0/207 Apr 24 08:39:26 [kernel] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/cyrus/deliver[deliver:8906] uid/euid:85/85 gid/egid:12/12, parent /usr/lib64/postfix/pipe[pipe:23344] uid/euid:0/207 gid/egid:0/207 Apr 24 08:39:26 [kernel] grsec: more alerts, logging disabled for 10 seconds Apr 24 08:39:26 [postfix/pipe] 072852BE53: to=<wartung@becker.homeip.net>, orig_to=<root>, relay=cyrus, delay=44738, status=deferred (Command died with signal 11: "/usr/lib64/cyrus/d eliver") Apr 24 08:39:26 [postfix/pipe] E88AB3591C: to=<wartung@becker.homeip.net>, orig_to=<root>, relay=cyrus, delay=3458, status=deferred (Command died with signal 11: "/usr/lib64/cyrus/de liver") Apr 24 08:39:26 [postfix/pipe] D17C955F3: to=<wartung@becker.homeip.net>, relay=cyrus, delay=2637, status=deferred (Command died with signal 11: "/usr/lib64/cyrus/deliver") Here is my system information: server ~ # emerge --info Portage 2.0.54 (hardened/amd64/multilib, gcc-3.4.5, glibc-2.3.5-r2, 2.6.14-hardened-r7-server x86_64) ================================================================= System uname: 2.6.14-hardened-r7-server x86_64 AMD Sempron(tm) Processor 2800+ Gentoo Base System version 1.6.14 ccache version 2.3 [enabled] dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=k8" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -pipe -march=k8" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://pandemonium.tiscali.de/pub/gentoo/ http://ftp.du.se/pub/os/gentoo http://ftp.easynet.nl/mirror/gentoo/ http://gentoo.ynet.sk/pub http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ftp.lug.ro/gentoo/ http://gentoo.zie.pg.gda.pl http://mirror.switch.ch/mirror/gentoo/" LANG="de_DE.utf8" LC_ALL="de_DE.utf8" LDFLAGS="-Wl,-O1 -Wl,--enable-new-dtags -Wl,--sort-common -Wl,--strip-all" LINGUAS="de" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acl acpi amd64 apache apache2 bash-completion berkdb bzip2 crypt cups gdbm hardened logrotate maildir multilib mysql ncurses nls nptl nptlonly pam perl php pic python readline samba sasl ssl tcpd udev unicode userlocales zlib linguas_de userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, INSTALL_MASK, PORTDIR_OVERLAY I will attach my kernel config after posting this report. Regards from Germany
Created attachment 85333 [details] My kernel config. Attached my kernel config with the kernel-side settings of grsec and pax.
Pretty much same system/setup, just do not have USE=hardened (although hardened kernel). Also have deliver segfaulting, this in main.cf works though for those that might not be able to wait: ----- mailbox_transport = lmtp:unix:/var/imap/socket/lmtp -----
(In reply to comment #2) > Pretty much same system/setup, just do not have USE=hardened (although hardened > kernel). Also have deliver segfaulting, this in main.cf works though for those > that might not be able to wait: > > ----- > mailbox_transport = lmtp:unix:/var/imap/socket/lmtp > ----- > Martin, and this is an AMD64 too?
Well, I have news. I got it working with disabling prelinking on the system. How I got the idea: After a re-emerge of cyrus-imap and postfix it worked for a day. After the first day it crashed again. I got a daily cron running doing a "prelink -afmR", so I turned that off. And voila, since then it works. No more crashes. That seemed to be the trick for my system. Regards Karsten
Last time I checked, prelink wasn't playing nice with hardened systems (although it should play together).
On a PaX-enabled kernel, prelink data is ignored. So running prelink on such a systems is a waste of time, anyway :) Having said that, I don't see how prelinking it should cause it to segfault. Does cyrus imap really require all the PaX controls to be relaxed, or did you do that just for testing? If it really does, I'd suggest using a different imap server...
(In reply to comment #1) > Created an attachment (id=85333) [edit] > My kernel config. > > Attached my kernel config with the kernel-side settings of grsec and pax. you have CONFIG_PAX_HAVE_ACL_FLAGS=y which means that paxctl may not matter at all as the ACL system of your choice (probably grsec) has the final say over the per-process PaX flags. next, since it's a reproducible crash, you should get a coredump, or even better, run the failing command from within gdb itself and post some info like 'bt', 'x/8i $pc', 'i r', etc when the segfault occurs. based on the provided logs so far, it looks like some NULL deref, but we can't tell more until you can provide the gdb info. i'd also like to see an ldd on the crashing binary. also, you could leave prelink enabled but disable randomization (echo 0 > /proc/sys/kernel/randomize_va_space) and see if that still fails (and if it does, provide the same info from gdb).
Well, due to the fact that it's year 2007 now and one year after my opening, the setup is stable and productive in the meantime. So I can't give you the info's needed because I cannot set up a crashing IMAP on a productive system. My boss would kill me...
