Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] LetsEncrypt (certbot) Segfault
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dacr
n00b
n00b


Joined: 15 Jun 2016
Posts: 2

PostPosted: Wed Jun 15, 2016 9:01 pm    Post subject: [SOLVED] LetsEncrypt (certbot) Segfault Reply with quote

Hi,

I installed certbot to two similar servers.
ServerA is working fine, but in ServerB is not OK.


# equery list python
* Searching for python ...
[IP-] [ ] dev-lang/python-2.7.10-r1:2.7

# equery list certbot
* Searching for certbot ...
[IP-] [ ] app-crypt/certbot-0.6.0:0


If I run certbot then I get segfault:

...
setsockopt(4, SOL_TCP, TCP_NODELAY, [1], 4) = 0
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("104.103.97.15")}, 16) = 0
gettimeofday({1466015284, 800180}, NULL) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2405, ...}) = 0
fstat(12, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
read(12, "\2334\234r\264V; Q\255ned\324\347'", 16) = 16
fstat(12, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
read(12, "\273pj\303\216\226\36\377\374\34\256\215\7Z\260\344", 16) = 16
fstat(12, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
read(12, "\233\360\221\34vW\303,\227\337\310\214\245yT\372", 16) = 16
open("/proc/self/status", O_RDONLY) = 5
fstat(5, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x6d666c076000
read(5, "Name:\tcertbot\nState:\tR (running)"..., 1024) = 768
close(5) = 0
munmap(0x6d666c076000, 4096) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = -1 EPERM (Operation not permitted)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0} ---
+++ killed by SIGSEGV +++
segmentation fault


(result is same with webroot, standalon, manual ; I tried install from git, result is same.)



# revdep-rebuild
* Configuring search environment for revdep-rebuild

* Checking reverse dependencies
* Packages containing binaries and libraries broken by a package update
* will be emerged.

* Collecting system binaries and libraries
* Generated new 1_files.rr
* Collecting complete LD_LIBRARY_PATH
* Generated new 2_ldpath.rr
* Checking dynamic linking consistency
[ 100% ]

* Dynamic linking on your system is consistent... All done.


Google did not help.
Does anyone have ideas?
Thank you!


edit:

Jun 15 23:25:34 serverB kernel: grsec: From xxx.xxx.xxx.xxx: denied RWX mmap of <anonymous mapping> by /usr/lib64/python-exec/python2.7/certbot[certbot:9533] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9527] uid/euid:0/0 gid/egid:0/0
Jun 15 23:25:35 serverB kernel: grsec: From xxx.xxx.xxx.xxx: denied RWX mmap of <anonymous mapping> by /usr/lib64/python-exec/python2.7/certbot[certbot:9533] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9527] uid/euid:0/0 gid/egid:0/0
Jun 15 23:25:35 serverB kernel: certbot[9533]: segfault at 0 ip 0000721f2a022245 sp 000074b40eab3dd0 error 6 in libffi.so.6.0.1[721f2a01c000+8000]
Jun 15 23:25:35 serverA kernel: grsec: From xxx.xxx.xxx.xxx: Segmentation fault occurred at (nil) in /usr/lib64/python-exec/python2.7/certbot[certbot:9533] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9527] uid/euid:0/0 gid/egid:0/0
Jun 15 23:25:35 serverB kernel: grsec: From xxx.xxx.xxx.xxx: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/python-exec/python2.7/certbot[certbot:9533] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9527] uid/euid:0/0 gid/egid:0/0


Last edited by dacr on Thu Jun 16, 2016 4:51 pm; edited 1 time in total
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 564
Location: France

PostPosted: Thu Jun 16, 2016 10:03 am    Post subject: Re: LetsEncrypt (certbot) Segfault Reply with quote

dacr wrote:
ServerA is working fine, but in ServerB is not OK.

Are both using the same Grsecurity parameters (particulary PaX ones) ? You can allow memory mapping to certbot by running
Code:
# paxctl-ng -m /usr/lib64/python-exec/python2.7/certbot
Back to top
View user's profile Send private message
dacr
n00b
n00b


Joined: 15 Jun 2016
Posts: 2

PostPosted: Thu Jun 16, 2016 4:50 pm    Post subject: Reply with quote

This solution is not work because certbot is not an ELF executable.
I find a great client and I use this now:
https://github.com/Neilpang/acme.sh

Problem solved, thank you for your time. :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum