PAX Errors

Problem: You are receiving PAX Errors for one or more apps, PHP, etc.

Log example:

Jan 1 12:00:54 hostname kernel: grsec: From 1.2.3.4: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /opt/cpanel/ea-php70/root/usr/bin/lsphp[lsphp:11604] uid/euid:1001/1001 gid/egid:1000/1000, parent /usr/local/lsws/bin/lshttpd.5.0.18[litespeed:11405] uid/euid:99/99 gid/egid:99/99
Jan 1 12:00:54 hostname kernel: PAX: execution attempt in: <anonymous mapping>, 353513ab000-35351426000 353513ab000
Jan 1 12:00:54 hostname kernel: PAX: terminating task: /opt/cpanel/ea-php70/root/usr/bin/lsphp(lsphp):11605, uid/euid: 1001/1001, PC: 00000353513ab010, SP: 000003c83294db38
Jan 1 12:00:54 hostname kernel: PAX: bytes at PC: 41 54 41 55 41 56 41 57 53 48 8b df 48 83 ec 50 48 8b 43 10 

This means this program is attempting to either perform a dangerous operation that could cause your system to be compromised, or someone is trying to break into your system and the ASL kernel is preventing this program from being used to compromise your system. This may also occur with malicious applications, applications that are misconfigured such as PHP, or applications that do things in a dangerous way. You can read more about this kernel protection capability in this article:

http://pax.grsecurity.net/docs/mprotect.txt

Solutions:

1) Most Secure

Report this to your vendor that they need to fix the application so it does not need to open this hole in your system. Modern software shouldnt need to do this.

2) Secure

In some cases it may be possible to tell the application to not try to open this hole in your system. As root, run this command:

execstack -c /path/to/application_or_library

Example:

execstack -c /opt/cpanel/ea-php70/root/usr/bin/lsphp

If this does not work, your application may require that this hole be opened in the system. Therefore see Option 3 below.

Note: If you update the application, this option may be removed when the software is updated by your vendor and you may need to remove this insecure configuration again.

3) Very Insecure

Warning: Always confirm with your application vendor if this is actually normal and necessary for your application before you make this change! Some vendors simply open these holes in your system because they do not know better. PHP for example does not need to open this hole in your system.

Note: Turning off this protection for your application will make it vulnerable to attacks which can result in the compromise of the application, and potentially access to your system. Modern applications should not need to open this hole in your system.

To allow an application to open this hole in your system, run this command as root:

paxctl -m /path/to/application_or_library

Example:

paxctl -m /opt/cpanel/ea-php70/root/usr/bin/lsphp

If you get this message when you run that command:

does not have a PT_PAX_FLAGS program header, try conversion

Please see the FAQ below:

https://www.atomicorp.com/wiki/index.php/ASL_error_messages#does_not_have_a_PT_PAX_FLAGS_program_header.2C_try_conversion

Then run the command:

paxctl -m /path/to/application_or_library

You will need to do this FOR EACH PATH that is being effected by this.

Note: See the article https://www.atomicorp.com/wiki/index.php/ASL_error_messages#Note_on_vulnerable_libraries for guidance on finding vulnerable libraries that attempt to open this hole in your system.