[CentOS] Memory Leak with stock Squirrelmail, PHP, mysql, apache since 5.3
Hi list, We are experiencing a memory leak on our SquirrelMail server since the 5.3 update. The server is fully updated, only stock rpms. The httpd processes are eating all the memory and after swapping like hell, the server became unresponsive and we must hard-reboot it. The server is not that much loaded (max 10-15 concurrent users but with tons of mail in their inbox). Configuration's speaking, nothing was changed before and after the update. Is there someone else experiencing the same thing ? How can I search deeper the origin of the leak ? Thx, kfx Details follows: Screenshot from munin showing the memory usage's graph: http://uppix.net/e/a/7/cd2bdea933d57b0e28bde1f96b854.png [r...@webmail ~]# uname -a Linux webmail 2.6.18-128.1.6.el5xen #1 SMP Wed Apr 1 09:53:14 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux [r...@webmail ~]# yum list | grep -e php -e squirrel -e mysql -e httpd | grep installed httpd.x86_64 2.2.3-22.el5.centos installed mysql.x86_64 5.0.45-7.el5 installed mysql-server.x86_645.0.45-7.el5 installed php.x86_64 5.1.6-23.el5 installed php-cli.x86_64 5.1.6-23.el5 installed php-common.x86_64 5.1.6-23.el5 installed php-ldap.x86_645.1.6-23.el5 installed php-mbstring.x86_645.1.6-23.el5 installed php-mysql.x86_64 5.1.6-23.el5 installed php-pdo.x86_64 5.1.6-23.el5 installed php-pear.noarch1:1.4.9-4.el5.1 installed php-pear-DB.noarch 1.7.13-1.el5.centos installed php-pear-MDB2.noarch 2.4.1-2.el5.centos installed php-pear-MDB2-Driver-mysql.noarch 1.4.1-3.el5.centos installed squirrelmail.noarch1.4.8-5.el5.centos.3 installed Dmesg: Apr 2 17:18:28 s_lo...@webmail kernel:init invoked oom-killer: gfp_mask=0x201d2, order=0, oomkilladj=0 Apr 2 17:18:28 s_lo...@webmail kernel: Apr 2 17:18:28 s_lo...@webmail kernel:Call Trace: Apr 2 17:18:28 s_lo...@webmail kernel:[] out_of_memory+0x8b/0x203 Apr 2 17:18:28 s_lo...@webmail kernel:[] __alloc_pages+0x245/0x2ce Apr 2 17:18:28 s_lo...@webmail kernel:[] __do_page_cache_readahead+0xd0/0x21c Apr 2 17:18:28 s_lo...@webmail kernel:[] __wait_on_bit_lock+0x5b/0x66 Apr 2 17:18:28 s_lo...@webmail kernel:[] :dm_mod:dm_any_congested+0x38/0x3f Apr 2 17:18:28 s_lo...@webmail kernel:[] filemap_nopage+0x148/0x322 Apr 2 17:18:28 s_lo...@webmail kernel:[] __handle_mm_fault+0x440/0x11f6 Apr 2 17:18:28 s_lo...@webmail kernel:[] _spin_lock_irqsave+0x9/0x14 Apr 2 17:18:28 s_lo...@webmail kernel:[] do_page_fault+0xf7b/0x12e0 Apr 2 17:18:28 s_lo...@webmail kernel:[] error_exit+0x0/0x6e Apr 2 17:18:28 s_lo...@webmail kernel: Apr 2 17:18:28 s_lo...@webmail kernel:Mem-info: Apr 2 17:18:28 s_lo...@webmail kernel:DMA per-cpu: Apr 2 17:18:28 s_lo...@webmail kernel:cpu 0 hot: high 186, batch 31 used:84 Apr 2 17:18:28 s_lo...@webmail kernel:cpu 0 cold: high 62, batch 15 used:57 Apr 2 17:18:28 s_lo...@webmail kernel:DMA32 per-cpu: empty Apr 2 17:18:28 s_lo...@webmail kernel:Normal per-cpu: empty Apr 2 17:18:28 s_lo...@webmail kernel:HighMem per-cpu: empty Apr 2 17:18:28 s_lo...@webmail kernel:Free pages:2912kB (0kB HighMem) Apr 2 17:18:28 s_lo...@webmail kernel:Active:73144 inactive:40971 dirty:0 writeback:0 unstable:0 free:728 slab:4076 mapped-file:2 mapped-anon:114411 pagetables:2857 Apr 2 17:18:28 s_lo...@webmail kernel:DMA free:2912kB min:2916kB low:3644kB high:4372kB active:292576kB inactive:163884kB present:532480kB pages_scanned:1521701 all_unreclaimable? yes Apr 2 17:18:28 s_lo...@webmail kernel:lowmem_reserve[]: 0 0 0 0 Apr 2 17:18:28 s_lo...@webmail kernel:DMA32 free:0kB min:0kB low:0kB high:0kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclaimable? no Apr 2 17:18:28 s_lo...@webmail kernel:lowmem_reserve[]: 0 0 0 0 Apr 2 17:18:28 s_lo...@webmail kernel:Normal free:0kB min:0kB low:0kB high:0kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclaimable? no Apr 2 17:18:28 s_lo...@webmail kernel:lowmem_reserve[]: 0 0 0 0 Apr 2 17:18:28 s_lo...@webmail kernel:HighMem free:0kB min:128kB low:128kB high:128kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclaimable? no Apr 2 17:18:28 s_lo...@webmail kernel:lowmem_reserve[]: 0 0 0 0 Apr 2 17:18:28 s_lo...@webmail kernel:DMA: 12*4kB 8*8kB 3*16kB 0*32kB 1*64kB 1*128kB 0*256kB 1*512kB 0*1024kB 1*2048kB 0*4096kB = 2912kB Apr 2 17:18:28 s_lo...@webmail kernel:DMA32: empty Apr 2 17:18:28 s_lo...@webmail kernel:Normal: empty Apr 2 17:18:28 s_lo.
[CentOS] RH's servers breached
What's the point on this for us, CentOS users ? http://www.redhat.com/security/data/openssh-blacklist.html Regards, kfx ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with iptables rule for blocking UDP port 53
Sean Carolan wrote: I would like to block all DNS queries that come from one particular ip address. I used TCPdump to verify that the queries were in fact, coming from this IP: [EMAIL PROTECTED]:~]$ sudo tcpdump -n udp port 53 and src 10.100.1.1 tcpdump: listening on eth0 11:12:17.162100 10.100.1.1.19233 > 10.100.1.61.domain: 14270+ A? server.domain.com. (32) (DF) Could someone help with the proper syntax for an IPtables rule to block port 53 udp traffic from this IP? I tried this rule but it doesn't work: -A RH-Firewall-1-INPUT -s 10.100.1.1 -m udp -p udp --dport 53 -j REJECT Strange...your rule seems ok to me. Try with DROP instead of REJECT ? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] /usr/bin/id behavior since CentOS 5.2 upgrade
Hi list, Since the upgrade to 5.2, when I log into my server with a ldap account I have these 2 errors messages: -bash: [: =: unary operator expected -bash: [: -le: unary operator expected After investigation, the trouble come from two scripts in /etc/profile.d: /etc/profile.d/krb5-workstation.sh /etc/profile.d/vim.sh The problem is with the test where the command "id" is involved, like: if [ `/usr/bin/id -u` = 0 ] ; If I add double quotes ("`/usr/bin/id -u`"), it will work again. Indeed, as a connected ldap user, the id command returns nothing when quoted: [EMAIL PROTECTED] ~]$ /usr/bin/id -u 12345 [EMAIL PROTECTED] ~]$ `/usr/bin/id -u` [EMAIL PROTECTED] ~]$ As a normal user, the command behaves normally: [EMAIL PROTECTED] ~]$ `/usr/bin/id -u` -bash: 1302: command not found [EMAIL PROTECTED] ~]$ /usr/bin/id -u 1302 I have modified theses two scripts but I am afraid it will break something in the future. Any idea on how to resolve this cleanly ? Best regards, kfx PS: Linux server 2.6.18-92.1.1.el5xen #1 SMP Sat Jun 21 19:21:20 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Commercial Support for CentOS 5 or above
Michael Simpson wrote: On 6/17/08, Daniel Chen (yongnche) <[EMAIL PROTECTED]> wrote: Hi, I saw there's one "Commercial Support" in "Support" menu on CentOS main page, but it's blank. Actually I'm looking for the commercial support for CentOS, is there anyone or organization which is doing this? Thank you very much. -- Best regards, Daniel CentOS is based on RedHat and is kinda RedHat without the proprietry stuff and with community support only AFAIK. However, without RedHat it wouldn't exist. If you need paid for commercial support can i recommend that you purchase a RedHat subscription. best wishes mike Yes. It would be kinda suicidal for CentOS to go on commercial support. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is tripwire still being developed?
Mag Gam wrote: sorry I didn't mean to break any rules on the mailing list. So, open source version of Tripwire isn't development anymore? I am hesitant to try new tools without any bells and whistles :-) I don't know AIDE, but I'm using Osiris http://osiris.shmoo.com/ since a while with no problem. Can someone who knows both product can tell which one is the best ? kfx. On Sat, Mar 29, 2008 at 2:44 PM, Jim Perrin <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: On Sat, Mar 29, 2008 at 11:21 AM, Mag Gam <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote absolutely nothing of use, however: For centos5, aide is built in, and does what tripwire did You can find a walkthrough here -> http://www.bofh-hunter.com/2007/12/04/centos-5-and-aide/ -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell ___ CentOS mailing list CentOS@centos.org <mailto:CentOS@centos.org> http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to install hp lasejet 1018?
Heiko Adams wrote: Hello, does anyone have an idea how to use an hp lasejet 1018 with CentOS 5? I didn't find any driver for this printer on CentOS 5. On Centos 5.1, I have followed the instructions there: http://foo2zjs.rkkda.com/ It's working flawlessly. kfx. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] local root exploit
Akemi Yagi wrote: On Feb 12, 2008 8:40 AM, kfx <[EMAIL PROTECTED]> wrote: I did, for the record: http://people.redhat.com/dzickus/el5/ BEWARE that it will remove ALL the older kernels. No, that is simply not true. I have tested a couple of kernels from http://people.redhat.com/dzickus/el5/ and neither removed my older kernels and I was able to go back to my original kernel without a hitch. Maybe you did not install the kernel *correctly* ? My bad, you are right. I did a "rpm -Uvh kernel-xen-2.6.18-80.el5.x86_64.rpm" kfx Akemi Regards, kfx ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] securing web applications (Wiki CMS installation)
mouss wrote: Johnny Hughes wrote: Simon Jolle wrote: 2008/2/11, James A. Peltier <[EMAIL PROTECTED]>: This is a very broad question to ask, however, I will appeal to the basics. 1) Use HTTPS whenever possible to avoid any passwords crossing the wire in clear text. 2) Ensure only the necessary modules are installed or enabled for your CMS to operate. 3) Always think least permissions necessary to perform the task 4) Ensure that MySQL is locked down with least permissions necessary. At the very least after you've installed MySQL make sure to run the secure-mysql-installation script to assign a password to the MySQL root user and lock down some of the basic tables. Each system is different and you should follow the guidelines outlined by the CMS to properly secure. If you are not sure of what you are deploying, that's kinda scary, you should be weary of that and tread lightly. thank you I will deploy Wikka Wiki [0] - there are no explicit security settings or guidelines How to harden Apache and PHP (without using SELinux)? SELinux is the "best" hardening step available for securing RH based php/httpd/mysql stacks (IMHO) ... why are you taking it off the table ??? Let me try: - because it's too much? complexity is the ennemy of security. lack of adequate documentation is the ennemy of usability. I couldn't find simple directions on how to make a service work correctly in presence of selinux (except disabling it). - # Activate auditd chkconfig auditd on && /etc/init.d/auditd start # Start apache and do your stuff to generate messages in audit.log restorecon -R /var/www/ audit2allow -M rule-name < /var/log/audit/audit.log semodule -i rule-name.pp - You should read (and maybe modify) the file "rule-name.te" before the semodule's command which is created by the audit2allow's one. It is not really the correct way to do as it is likely going to open too much stuff. It's just to show you that you can live with selinux enabled. Think that selinux can make you save time. Regards, kfx all docs I've seen place the discussion in a meta-world and require spending time understanding terminology and concepts that I am not sure to find useful. - because it doesn't secure apache/php. it secures the system against apache (to some extenst) but doesn't help securing apache itself. besides SELinux, you might want to look at php-suhosin: http://www.hughesjr.com/content/view/21/1/ It would be nice if RH included this by default... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] local root exploit
Johnny Hughes wrote: kfx wrote: R P Herrold wrote: On Mon, 11 Feb 2008, kfx wrote: The official patch for debian is out since a couple of hours... Why does it take so long for RHEL ? Just a question, not a troll or something. 1. ask them it was a question, not a troll (bis). However, you are asking the wrong people ... we have no idea. Also ... it *_IS_* trolling (or at least certainly silly) to post that Debain had the patch and RHEL doesn't ... so let's make RHEL be Debain. Fedora also has the patch released and RHEL doesn't ... I don't want RHEL to be Fedora either. hu ? Well you are right, my question was a bit silly but this thread was closed (for me at least) yesterday with Mr Van Dolson's last intervention. Why do you come out now from nowhere like "hey troll spotted! you are silly" or what ? It's just that it is a hard time for rhel, the 1.6 NFS issue then this one. And now we are going to have to choice between being exploitable or a decent nfs support. Maybe you are using the wrong distro ... I want stable kernels on my servers, so I'll take the extra day of testing. For people who do not want stable and tested software, switch distros. And the "change distro" speech is quite puerile, you think we all have the choice ? or that we can switch dozen of servers like this ? I can imagine that this exploit is not dramatic for a lot of people. But in certain case, like in scholar environment, where we have a lot of untrusted user's accounts, something like this IS problematic. [...] Rest assured that as soon as the upstream people have a patch, so will the CentOS team. And thank you for your work. However, we are not going to rush a non tested patch out the door. There are patches listed on the upstream bug, if you (figurative ... meaning anyone who wants to not wait) really want to integrate that into your own kernels in the interim then please do. I did, for the record: http://people.redhat.com/dzickus/el5/ BEWARE that it will remove ALL the older kernels. Regards, kfx Thanks, Johnny Hughes ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] local root exploit
R P Herrold wrote: On Mon, 11 Feb 2008, kfx wrote: The official patch for debian is out since a couple of hours... Why does it take so long for RHEL ? Just a question, not a troll or something. 1. ask them it was a question, not a troll (bis). 2. there have been reports of stability problems with the patch you mean that adding a validation of users input in a code lead to stability problem ? -- it does little good to rush out a fix for a non-remote root exploit that causes boxes to crash. One assumes some robustness testing is in play. I certainly hope so. -- Russ herrold ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] local root exploit
The official patch for debian is out since a couple of hours... Why does it take so long for RHEL ? Just a question, not a troll or something. kfx ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] local root exploit
Valent Turkovic wrote: I saw that there is a local root exploit in the wild. http://blog.kagesenshi.org/2008/02/local-root-exploit-on-wild.html And I see my centos box still has: 2.6.18-53.1.4.el5 yum says there are no updates... am I safe? Valent. No you're not... and we are a lot in this very embarrassing situation... You can compile (you need kernel-pae-devel's rpm) and insmod this kernel module while waiting for redhat to push out a new kernel and then that centos reroll it. http://home.powertech.no/oystein/ptpatch2008/ kfx ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] apache mod_authnz_ldap: multiple servers syntaxes
Thanks Jim for your answer: Jim Perrin wrote: > On 7/18/07, kfx <[EMAIL PROTECTED]> wrote: >> Hello, >> I'm trying this here first before moving to the apache list. Maybe >> someone of you use mod_authnz_ldap with multiple ldap servers >> declaration for redundancy. > > I'm not certain that you can do this with multiple servers. You might > consider looking at the mod_ldap connection pooling functions for > better performance. > >> With one server declared it is working. >> >> Here is what I've tried for adding another one (space separated as read >> in the apache's doc) : >> >> AuthLDAPURL >> ldaps://ldap1.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo) >> >> ldaps://ldap2.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo) >> > >> Result: >> Syntax error on line 43 of /etc/httpd/conf.d/trac.conf: >> Invalid LDAP connection mode setting: must be one of NONE, SSL, or >> TLS/STARTTL> > > You're getting this because technically your syntax is wrong. There > are a couple separate parts to the AuthLDAPUrl string, one of which is > a security directive which follows the url. For example, I use > something like: > > AuthLDAPUrl "ldaps://my.server.here/ou=foo,ou=bar, o=u.s, c=us?cn" SSL > > The ssl specifies the security for the url in addition to the 'ldaps'. > It's not documented overly well in my opinion. > I agree: http://httpd.apache.org/docs/2.2/mod/mod_ldap.html --> no indications on more than one ldap servers declaration http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html --> "host:port The name/port of the ldap server (defaults to |localhost:389| for |ldap|, and |localhost:636| for |ldaps|). To specify multiple, redundant LDAP servers, just list all servers, separated by spaces. |mod_authnz_ldap <http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html>| will try connecting to each server in turn, until it makes a successful connection." That's what I'm trying to do, with no result... How do you people achieve redundancy on LDAP based web authentication ? Thx, kfx ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] apache mod_authnz_ldap: multiple servers syntaxes
Hello, I'm trying this here first before moving to the apache list. Maybe someone of you use mod_authnz_ldap with multiple ldap servers declaration for redundancy. With one server declared it is working. Here is what I've tried for adding another one (space separated as read in the apache's doc) : AuthLDAPURL ldaps://ldap1.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo) ldaps://ldap2.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo) Result: Syntax error on line 43 of /etc/httpd/conf.d/trac.conf: Invalid LDAP connection mode setting: must be one of NONE, SSL, or TLS/STARTTLS Second test with quotes (as seen with some googling): AuthLDAPURL "ldaps://ldap1.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo) ldaps://ldap2.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo)" Result: Syntax error on line 43 of /etc/httpd/conf.d/trac.conf: Bad URL encountered while parsing LDAP URL. I've also tried to quote each ldap's declaration. No go. Can someone show me the clean way to achieve this ? Thanks, kfx. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos