bronze / # sasldblistusers2 DB->get: method not permitted before handle's open method Killed Kernel logs: sasldblistusers[22044]: segfault at 869d15ec ip 00007897cb328a48 sp 00007ffaa1d1fcc0 error 4 in libdb-4.6.so[7897cb26a000+134000] Ebuilds: [ebuild R ] sys-libs/db-4.6.21_p4 USE="-doc -java -nocxx -tcl -test" 0 kB [ebuild R ] dev-libs/cyrus-sasl-2.1.23-r1 USE="berkdb crypt pam ssl urandom -authdaemond -gdbm -java -kerberos -ldap -mysql -ntlm_unsupported_patch -postgres -sample -sqlite -srp" 0 kB System: Portage 2.1.6.13 (hardened/linux/amd64/10.0/no-multilib, gcc-4.3.4, glibc-2.9_p20081201-r2, 2.6.28-hardened-r9 x86_64) ================================================================= System uname: Linux-2.6.28-hardened-r9-x86_64-Dual-Core_AMD_Opteron-tm-_Processor_2218-with-gentoo-1.12.11.1 Timestamp of tree: Tue, 20 Oct 2009 23:20:01 +0000 app-shells/bash: 4.0_p28 dev-lang/python: 2.4.6, 2.5.4-r3, 2.6.2-r1 dev-python/pycrypto: 2.0.1-r8 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.63-r1 sys-devel/automake: 1.7.9-r1, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=opteron -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=opteron -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_GB.UTF-8" LC_ALL="en_GB.UTF-8" LDFLAGS="-Wl,-O1" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://portage-rsync.linx.net/gentoo-portage" USE="amd64 bash-completion berkdb bzip2 cli cracklib crypt cups diskio dri elf gnutls gpg hardened hpn iconv idled idn ipv6 isdnlog justify lzo mmx modules mudflap ncurses no-old-linux nptl nptlonly pam pcre perl pic pppd python readline reflection session spl sse sse2 ssl sysfs unicode urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY I'm blaming this on the compiler, as this tool operates correctly on this system where I have not done the big GCC upgrade yet: Portage 2.1.6.13 (hardened/amd64, gcc-3.4.6, glibc-2.9_p20081201-r2, 2.6.28-hardened-r9 x86_64) ================================================================= System uname: Linux-2.6.28-hardened-r9-x86_64-Dual-Core_AMD_Opteron-tm-_Processor_2218-with-gentoo-1.12.11.1 Timestamp of tree: Sun, 06 Sep 2009 23:15:01 +0000 app-shells/bash: 3.2_p39 dev-lang/python: 2.4.4-r6, 2.5.4-r3, 2.6.2-r1 dev-python/pycrypto: 2.0.1-r8 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.63-r1 sys-devel/automake: 1.7.9-r1, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=opteron -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=opteron -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_GB.UTF-8" LC_ALL="en_GB.UTF-8" LDFLAGS="-Wl,-O1" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://portage-rsync.linx.net/gentoo-portage" USE="amd64 bash-completion berkdb cracklib crypt diskio elf hardened hpn idn ipv6 justify ncurses no-old-linux nptl nptlonly pam perl pic python readline sse sse2 ssl sysfs unicode urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 intel mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY Note that recompiling both the affected library and the affected tool did not resolve the matter.
Created attachment 207897 [details] ALL.OUT.bz2 As requested by robbat2, here is the output of the DB 4.6 test suite. The ebuild reports failure, but the suggested grep commands result in no output for me. Used bzip2 as the extracted size is around 6 megabytes.
db 4.7.25_p4 cyrus-sasl-2.1.23 no segfault with hardened here
Here's the failures Fop002: (-btree) File system ops and permissions. Fop002.a: Test with neither read nor write permission. Fop002.a: Testing open_create for failure. FAIL:19:04:43 (00:00:00) open_create_err: expected db open:permission denied, got db15778 Rep006: Client logs are on-disk Rep006.a: Running test001 in replicated env. Rep_test: rrecno 1000 key/data pairs starting at 0 Rep_test.a: put/get loop Rep006.b: Verifying client database contents. Rep006.c: Verifying non-master db_checkpoint. Rep006.d: Verifying non-master access. FAIL:21:06:37 (00:14:17) open_err: expected 1, got 0 Are you running any grsec kernel options at all?
Created attachment 208295 [details] config.gz (In reply to comment #3) > Are you running any grsec kernel options at all? Yes, I have attached the kernel config of the problematic machine for confirmation.
after an update i have this error too... sasldblistusers[30682]: segfault at fffffff9 ip 0000680a2e715166 sp 000071a36ea61d58 error 4 in libc-2.9.so[680a2e695000+158000] grsec: From 217.91.117.252: signal 11 sent to /usr/sbin/sasldblistusers2[sasldblistusers:30682] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5493] uid/euid:0/0 gid/egid:0/0 Portage 2.1.6.13 (hardened/linux/amd64/10.0, gcc-3.4.6, glibc-2.9_p20081201-r2, 2.6.28-hardened-r6-g0b8eb1d x86_64) ================================================================= System uname: Linux-2.6.28-hardened-r6-g0b8eb1d-x86_64-AMD_Athlon-tm-_64_Processor_3000+-with-gentoo-1.12.13 Timestamp of tree: Wed, 11 Nov 2009 08:45:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 4.0_p28 dev-java/java-config: 1.3.7-r1, 2.1.9-r1 dev-lang/python: 2.5.4-r2, 2.6.2-r1 dev-python/pycrypto: 2.0.1-r8 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.6.4-r3 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.4_p6, 1.7.9-r1, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=athlon64 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="candy ccache distlocks fixpackages metadata-transfer parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://ftp.belnet.be/linux/gentoo rsync://ftp.snt.utwente.nl/gentoo http://ftp.heanet.ie/pub/gentoo ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo" LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="en de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/centerim /usr/portage/local/layman/jokey /usr/portage-disturbed /usr/portage-snix" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="acpi amd64 apache2 bash-completion berkdb bzip2 cdb crypt curl encode gd gif gmp gpm hardened idn imagemagick jpeg jpeg2k kerberos krb4 logrotate mbox multilib ncurses nls nptl nptlonly offensive pam pcre perl pic png python readline sasl session skey spell ssl tcpd threads tiff truetype ucs2 unicode vhosts xml zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="access auth auth_basic auth_digest authn_anon authn_dbm authn_file authz_host alias file-cache echo charset-lite cache disk-cache mem-cache ext-filter case_filter case-filter-in deflate mime-magic cern-meta expires headers usertrack unique-id proxy proxy-connect proxy-ftp proxy-http info include cgi cgid dav dav-fs vhost-alias speling rewrite log_config logio env setenvif mime status autoindex asis negotiation dir imap actions userdir so unique_id filter" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en de" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
cilly is right. after removing old db stuff no segfault with db-4.7.25_p4
(In reply to comment #6) > cilly is right. after removing old db stuff no segfault with db-4.7.25_p4 > In my case, cyrus-sasl was linked to db-4.6 libraries instead of db-4.7.25_p4 and this was the root of problem. Rebuilding of cyrus-sasl was not helped. The problem gone after unmerging old db versions and revdep-rebuild.
Created attachment 217372 [details] updated db patch -- includes db-4.7 add 4.7 entry into the patch -- so it will be linked against 4.7 if available
In the tree. Not really necessary with db-use but changed it anyway. Closing.
