at a hardened desktop it works well, but the server gives for $> mirrorselect -s5 --output this (strace) output: open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 4 fstat(4, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0 poll([{fd=4, events=POLLIN}], 1, 10) = 1 ([{fd=4, revents=POLLIN}]) read(4, "y\2101\2\363\321\6\346\245`bl\273\20\0\242\230\267\325\376\223\313u\210\221\316\314\31y\31Y\343", 32) = 32 close(4) = 0 getuid() = 0 stat("/usr/lib64/python2.7/site-packages/cffi/gc_weakref", 0x3a647e104e0) = -1 ENOENT (No such file or directory) open("/usr/lib64/python2.7/site-packages/cffi/gc_weakref.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib64/python2.7/site-packages/cffi/gc_weakrefmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib64/python2.7/site-packages/cffi/gc_weakref.py", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=586, ...}) = 0 open("/usr/lib64/python2.7/site-packages/cffi/gc_weakref.pyc", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=1158, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2937d465000 read(5, "\3\363\r\na\277`Sc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s*\0\0\0d\0"..., 4096) = 1158 fstat(5, {st_mode=S_IFREG|0644, st_size=1158, ...}) = 0 read(5, "", 4096) = 0 close(5) = 0 munmap(0x2937d465000, 4096) = 0 close(4) = 0 munmap(0x29377126000, 262144) = 0 ... munmap(0x293776e6000, 262144) = 0 munmap(0x29377726000, 262144) = 0 munmap(0x293777e6000, 262144) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = -1 EPERM (Operation not permitted) --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xc} --- +++ killed by SIGSEGV +++ Segmentation fault tor-relay ~ # emerge --info mirrorselect Portage 2.2.14 (python 2.7.9-final-0, hardened/linux/amd64, gcc-4.8.3, glibc-2.19-r1, 3.18.7-hardened-r1 x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.18.7-hardened-r1-x86_64-Intel-R-_Core-TM-_i7-3770_CPU_@_3.40GHz-with-gentoo-2.2 KiB Mem: 16164808 total, 2225104 free KiB Swap: 16777212 total, 16747048 free Timestamp of tree: Sat, 28 Feb 2015 14:15:01 +0000 ld GNU ld (Gentoo 2.24 p1.4) 2.24 app-shells/bash: 4.2_p53 dev-lang/perl: 5.20.1-r4 dev-lang/python: 2.7.9-r1, 3.3.5-r1 dev-util/pkgconfig: 0.28-r1 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.13.11 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.69 sys-devel/automake: 1.13.4 sys-devel/binutils: 2.24-r3 sys-devel/gcc: 4.8.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.4 sys-devel/make: 4.1-r1 sys-kernel/linux-headers: 3.16 (virtual/os-headers) sys-libs/glibc: 2.19-r1 Repositories: gentoo toralf ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=native" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=native" DISTDIR="/var/lib/distfiles" EMERGE_DEFAULT_OPTS="--keep-going=y --nospinner --tree --quiet-build --quiet --deep" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs compress-build-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/ http://gd.tuwien.ac.at/opsys/linux/gentoo/" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="acl amd64 berkdb bzip2 cli cracklib crypt cxx dbus dnssec dri gdbm hardened iconv justify libav logrotate mbox mmx modules multilib ncurses nls nptl openmp pam pax_kernel pcre readline session sse sse2 sse3 sse4 sse4.1 sse4.2 ssl tcpd threads tor-hardening unicode urandom vim-syntax xattr xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON ================================================================= Package Settings ================================================================= app-portage/mirrorselect-2.2.2 was built with the following: USE="" ABI_X86="64" PYTHON_TARGETS="python2_7 python3_3 -python3_4"
And this in /var/log/grsec.log is the reason : Feb 28 20:50:01 tor-relay kernel: [366551.471544] grsec: From 78.54.131.194: denied RWX mmap of <anonymous mapping> by /usr/lib64/python-exec/python2.7/mirrorselect[mirrorselect:12380] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5406] uid/euid:0/0 gid/egid:0/0 Feb 28 20:50:01 tor-relay kernel: [366551.471574] grsec: From 78.54.131.194: Segmentation fault occurred at 000000000000000c in /usr/lib64/python-exec/python2.7/mirrorselect[mirrorselect:12380] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5406] uid/euid:0/0 gid/egid:0/0 Feb 28 20:50:01 tor-relay kernel: [366551.471605] grsec: From 78.54.131.194: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/python-exec/python2.7/mirrorselect[mirrorselect:12380] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5406] uid/euid:0/0 gid/egid:0/0 The RWX map is wrong IMO, here's an explanation why : http://www.zwiebeltoralf.de/torserver/cep2/index.html
*** This bug has been marked as a duplicate of bug 525494 ***
