| View previous topic :: View next topic |
| Author |
Message |
opotonil
l33t
Joined: 17 Jun 2005
Posts: 801
Location: 127.0.0.1
|
 Posted: Sat Jul 30, 2011 12:32 pm Post subject: ntpd crash with ipv6 on hardened (solved) |
 |
|
I have configured ipv6 on my hardened server with a tunnel with tunnelbroker configured on router with OpenWrt, it seem is working well:
| Code: |
# ping6 ipv6.google.com -c 3
PING ipv6.google.com(wy-in-x63.1e100.net) 56 data bytes
64 bytes from wy-in-x63.1e100.net: icmp_seq=1 ttl=55 time=46.6 ms
64 bytes from wy-in-x63.1e100.net: icmp_seq=2 ttl=55 time=46.8 ms
64 bytes from wy-in-x63.1e100.net: icmp_seq=3 ttl=55 time=46.3 ms
--- ipv6.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 46.311/46.584/46.828/0.212 ms
|
Since server have support for ipv6 ntpd crash:
| Code: |
# /etc/init.d/ntpd start
* Starting ntpd ... [ ok ]
# /etc/init.d/ntpd status
* status: crashed
|
On logs I can see:
| Code: |
[414496.228869] ntpd[5936]: segfault at 8 ip 00000dddb9b4af91 sp 00007351740fce20 error 4 in ntpd[dddb9b2d000+91000]
[414496.228890] grsec: From 192.168.255.5: Segmentation fault occurred at 0000000000000008 in /usr/sbin/ntpd[ntpd:5936] uid/euid:123/123 gid/egid:123/123, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[414496.228914] grsec: bruteforce prevention initiated against uid 123, banning for 15 minutes
|
| Code: |
Jul 30 14:20:44 server ntpd[5987]: ntpd 4.2.6p3@1.2290-o Mon Jul 25 18:01:27 UTC 2011 (1)
Jul 30 14:20:44 server ntpd[5988]: proto: precision = 0.312 usec
Jul 30 14:20:44 server ntpd[5988]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
Jul 30 14:20:44 server ntpd[5988]: Listen and drop on 1 v6wildcard :: UDP 123
Jul 30 14:20:44 server ntpd[5988]: Listen normally on 2 lo 127.0.0.1 UDP 123
Jul 30 14:20:44 server ntpd[5988]: Listen normally on 3 eth0 192.168.255.2 UDP 123
Jul 30 14:20:44 server ntpd[5988]: Listen normally on 4 eth0 fe80::223:7dff:fe06:d28b UDP 123
Jul 30 14:20:44 server ntpd[5988]: Listen normally on 5 eth0 2001:xxx:xxxx:ffff::2 UDP 123
Jul 30 14:20:44 server ntpd[5988]: Listen normally on 6 lo ::1 UDP 123
Jul 30 14:20:44 server ntpd[5988]: peers refreshed
Jul 30 14:20:45 server ntpd[5988]: Cannot setuid() to user `ntp': Operation not permitted
|
If I comment ipv6 configuration on /etc/conf.d/net and system is rebooted, ntpd work well. If I comment ipv6 configuration on /etc/conf.d/net and network is restarted, ntpd don't work.
Last edited by opotonil on Thu Aug 04, 2011 6:15 pm; edited 1 time in total |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 21920
|
| Posted: Sat Jul 30, 2011 5:10 pm Post subject: |
|
|
| What is the output of emerge --info net-misc/ntp? Does it help if net-misc/ntp is built with a non-hardened gcc? |
|
| Back to top |
|
|
opotonil
l33t
Joined: 17 Jun 2005
Posts: 801
Location: 127.0.0.1
|
| Posted: Sat Jul 30, 2011 5:21 pm Post subject: |
|
|
Output of emerge --info net-misc/ntp:
| Code: |
# emerge --info net-misc/ntp
Portage 2.2.0_alpha47 (hardened/linux/amd64, gcc-4.4.5, glibc-2.12.2-r0, 2.6.38-hardened-r6 x86_64)
=================================================================
System Settings
=================================================================
System uname: Linux-2.6.38-hardened-r6-x86_64-Intel-R-_Xeon-R-_CPU_E5405_@_2.00GHz-with-gentoo-2.0.3
Timestamp of tree: Fri, 29 Jul 2011 18:30:01 +0000
app-shells/bash: 4.1_p9
dev-lang/python: 2.7.1-r1, 3.1.3-r1
dev-util/cmake: 2.8.4-r1
dev-util/pkgconfig: 0.26
sys-apps/baselayout: 2.0.3
sys-apps/openrc: 0.8.3-r1
sys-apps/sandbox: 2.4
sys-devel/autoconf: 2.68
sys-devel/automake: 1.11.1
sys-devel/binutils: 2.20.1-r1
sys-devel/gcc: 4.4.5
sys-devel/gcc-config: 1.4.1-r1
sys-devel/libtool: 2.2.10
sys-devel/make: 3.82
sys-kernel/linux-headers: 2.6.36.1 (virtual/os-headers)
sys-libs/glibc: 2.12.2
Repositories: gentoo local
Installed sets:
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -mtune=generic -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/openvpn/easy-rsa"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=core2 -mtune=generic -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="es_ES.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="es"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl amd64 bzip2 caps cgi cli cracklib crypt cups cxx dri fam gdbm gpm hardened iconv ipv6 jpeg justify mmx modules mudflap multilib mysql ncurses nls nptl nptlonly openmp pam pcre perl png pppd python readline samba scanner session sse sse2 ssl sysfs tcpd threads tiff unicode urandom usb xattr xinetd xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="es" PHP_TARGETS="php5-3" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby18" SANE_BACKENDS="net" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
=================================================================
Package Settings
=================================================================
net-misc/ntp-4.2.6_p3 was built with the following:
USE="caps ipv6 (multilib) ssl -debug -openntpd -parse-clocks (-selinux) -snmp -vim-syntax -zeroconf"
|
I tried to build it with x86_64-pc-linux-gnu-4.4.5-vanilla, but error persist.
Last edited by opotonil on Mon Aug 01, 2011 11:48 am; edited 1 time in total |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 21920
|
| Posted: Sat Jul 30, 2011 6:25 pm Post subject: |
|
|
That suggests a bug in ntp, which is easier to handle than a miscompilation bug.
You will probably need to obtain a core file and associated backtrace. |
|
| Back to top |
|
|
opotonil
l33t
Joined: 17 Jun 2005
Posts: 801
Location: 127.0.0.1
|
| Posted: Mon Aug 01, 2011 12:28 pm Post subject: |
|
|
I think the bug have to be reported to Gentoo bugzilla -> Gentoo Linux -> Component: hardened ¿this is correct?
For obtain a core file and associated backtrace, I am reading:
http://www.gentoo.org/proj/en/qa/backtraces.xml
I understand kernel is configured correctly:
| Code: |
# cat /usr/src/linux/.config | grep ELF_CORE
CONFIG_ELF_CORE=y
|
I modified make.conf
| Code: |
CFLAGS="-march=core2 -mtune=generic -O2 -pipe -ggdb"
|
and I have rebuilt ntp:
| Code: |
# FEATURE="$FEATURE splitdebug" emerge ntp
|
but when I try to get a core dump with
| Code: |
# ulimit -c unlimited
# /etc/init.d/ntpd start
* Starting ntpd ... [ ok ]
|
and with
| Code: |
# ulimit -c unlimited
# /usr/sbin/ntpd -p /var/run/ntpd.pid -u ntp:ntp
|
on both cases I can't find any core or core.pid file ¿what I doing wrong? |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 21920
|
| Posted: Mon Aug 01, 2011 11:29 pm Post subject: |
|
|
| I would need to investigate to see why no core dump is produced. However, I can point out now that you wrote FEATURE=, but the correct spelling is FEATURES=. Therefore, Portage ignored your change and stripped the binary anyway. This would not prevent generation of a core file, but would make the generated core file difficult to use. |
|
| Back to top |
|
|
opotonil
l33t
Joined: 17 Jun 2005
Posts: 801
Location: 127.0.0.1
|
| Posted: Thu Aug 04, 2011 6:14 pm Post subject: |
|
|
| Problem was using vde bridge (vde_pcapplug), ntp work well without it. |
|
| Back to top |
|
|
|
Networking & Security
