Posts Tagged ‘generation’

How much memory users uses in GNU / Linux and FreeBSD – Commands and Scripts to find user memory usage on Linux

Tuesday, February 17th, 2015




If you have to administrate a heterogenous network with Linux and FreeBSD or other UNIX like OSes you should sooner or later need for scripting purposes to have a way to list how much memory separate users take up on your system. Listing memory usage per user is very helpful for admins who manager free-shells or for companies where you have developers, developing software directly on the server via ssh. Being able to check which process eats up most memory is essential for every UNIX / Linux sysadmin, because often we as admins setup (daemons) on servers and we forgot about their existence, just to remember they exist 2 years later and see the server is crashing because of memory exhaustion. Tracking server bottlenecks where RAM memory and Swapping is the bottleneck is among the main swiss amry knives of admins. Checking which user occupies all server memory is among the routine tasks we're forced to do as admins, but because nowdays servers have a lot of memory and we put on servers often much more memory than ever will be used many admins forget to routinely track users / daemons memory consumption or even many probably doesn't know how.  Probably all are aware of the easiest wy to get list of all users memory in console non interactively with free command, e.g.:

free -m
             total       used       free     shared    buffers     cached
Mem:         32236      26226       6010          0        983       8430
-/+ buffers/cache:      16812      15424
Swap:        62959        234      62725


but unfortunately free command only shows overall situation with memory and doesn't divide memory usage by user

Thus probably to track memory users the only known way for most pepole is to (interactively) use good old top command or if you like modern (colorful) visualization with htop:

debian:~# top



Once top runs interactive press 'm' to get ordered list of processes which occupy most system memory on Linux server.Top process use status statistics will refresh by default every '3.0' seconds to change that behavior to '1' second press  s and type '1.0'. To get Sort by Memory Use in htop also press 'm'

[root@mail-server ~]# htop



However if you need to be involved in scripting and setting as a cron job tasks to be performed in case if high memroy consumption by a service you will need to use few lines of code. Below are few examples on how Linux user memory usage can be shown with ps cmd.

Probably the most universal way to see memory usage by users on Debian / Ubuntu / CentOS / RHEL and BSDs (FreeBSD / NetBSD) is with below one liner:


server:~# ps hax -o rss,user | awk '{a[$2]+=$1;}END{for(i in a)print i” “int(a[i]/1024+0.5);}' | sort -rnk2
daemon 0
debian-tor 63
dnscache 1
dnslog 0
hipo 21
messagebus 1
mysql 268
ntp 2
privoxy 1
proftpd 1
qmaill 0
qmailq 0
qmailr 0
qmails 0
qscand 291
root 94
shellinabox 1
snmp 1
statd 1
vpopmail 80
www-data 6765


Output is in MBs

Below is output from machine where this blog is running, the system runs ( Apache + PHP + MySQL Webserver + Qmail Mail server and Tor) on Debian GNU / Linux.

 To get more human readable (but obscure to type – useful for scripting) output list of which user takes how much memory use on deb / rpm etc. based Linux :


server:~# echo "USER                 RSS      PROCS" ; echo "——————– ——– —–" ; \
ps hax -o rss,user | awk '{rss[$2]+=$1;procs[$2]+=1;}END{for(user in rss) printf “%-20s %8.0f %5.0f\n”, user, rss[user]/1024, procs[user];}' | sort -rnk2


USER                 RSS      PROCS
——————– ——– —–
www-data                 6918   100
qscand                    291     2
mysql                     273     1
root                       95   120
vpopmail                   81     4
debian-tor                 63     1
hipo                       21    15
ntp                         2     1
statd                       1     1
snmp                        1     1
shellinabox                 1     2
proftpd                     1     1
privoxy                     1     1
messagebus                  1     1
dnscache                    1     1
qmails                      0     2
qmailr                      0     1
qmailq                      0     2
qmaill                      0     4
dnslog                      0     1
daemon                      0     2


It is possible to get the list of memory usage listed in percentage proportion, with a tiny for bash loop and some awk + process list command

TOTAL=$(free | awk '/Mem:/ { print $2 }')
for USER in $(ps haux | awk '{print $1}' | sort -u)
    ps hux -U $USER | awk -v user=$USER -v total=$TOTAL '{ sum += $6 } END { printf "%s %.2f\n", user, sum / total * 100; }'

107 1.34
115 2.10
119 1.34
daemon 1.32
dnscache 1.34
dnslog 1.32
hipo 1.59
mysql 4.79
ntp 1.34
privoxy 1.33
proftpd 1.32
qmaill 1.33
qmailq 1.33
qmailr 1.32
qmails 1.33
qscand 4.98
root 1.33
snmp 1.33
statd 1.33
vpopmail 2.35
www-data 86.48

Also a raw script which can be easily extended to give you some custom information on memory use by user is here.
You can also want to debug further how much memory a certain users (lets say user mysql and my username hipo) is allocating, this can easily be achieved ps like so:

root@pcfreak:~# ps -o size,pid,user,command -u mysql –sort -size
796924 14857 mysql   /usr/sbin/mysqld –basedir=/usr –datadir=/var/lib/mysql –plugin-dir=/usr/lib/mysql/plugin –user=mysql –pid-file=/var/run/mysqld/ –socket=/var/run/mysqld/mysqld.sock –port=3306


root@pcfreak~# ps -o size,pid,user,command -u hipo –sort -size|less
13408 19063 hipo     irssi
 3168 19020 hipo     SCREEN
 2940  2490 hipo     -bash
 1844 19021 hipo     /bin/bash
 1844 19028 hipo     /bin/bash
 1844 19035 hipo     /bin/bash
 1844 19042 hipo     /bin/bash
 1844 19491 hipo     /bin/bash
 1844 22952 hipo     /bin/bash
  744  2487 hipo     sshd: hipo@pts/0
  744  2516 hipo     sshd: hipo@notty
  524  2519 hipo     screen -r
  412  2518 hipo     /usr/lib/openssh/sftp-server

You see from below output user running with www-data (this is Apache Webserver user in Debian) is eating 86.48% of overall system memory and MySQL server user is using only 4.79% of available memory

Output is shown in Megabytes per username memory usage, and user memory usage is ordered (stepping-down / descentive) from top to bottom

Getting more thoroughful and easier to read reporting without beeing a 31337 bash coder you can install and use on Linux smem – memory reporting tool .

SMEM can provide you with following memory info:

  • system overview listing
  • listings by process, mapping, user
  • filtering by process, mapping, or user
  • configurable columns from multiple data sources
  • configurable output units and percentages
  • configurable headers and totals
  • reading live data from /proc
  • reading data snapshots from directory mirrors or compressed tarballs
  • lightweight capture tool for embedded systems
  • built-in chart generation

Installing smem on Debian 6 / 7 / Ubuntu 14.04 / Turnkey Linux etc. servers is done with standard:


debian:~# apt-get install –yes smem



To install smem on CentOS 6 / 7:


[root@centos ~ ]# yum -y install smem

On Slackware and other Linux-es where smem is not available as a package you can install it easily from binary archive with:


cd /tmp/
tar xvf smem-1.3.tar.gz
sudo cp /tmp/smem-1.3/smem /usr/local/bin/
sudo chmod +x /usr/local/bin/smem


Two most common smem uses are:


root@mail:~# smem -u
User     Count     Swap      USS      PSS      RSS
dnslog       1       44       48       54      148
qmaill       4      232      124      145      464
hipo        11    13552     8596     9171    13160
qscand       2     4500   295336   295602   297508
root       188   217312  4521080  4568699  7712776


Below command shows (-u – Report memory usage by user, -t – show totals, -k – show unix suffixes)

root@mail:~# smem -u -t -k
User     Count     Swap      USS      PSS      RSS
dnslog       1    44.0K    48.0K    54.0K   148.0K
qmaill       4   232.0K   124.0K   145.0K   464.0K
hipo        11    13.2M     8.4M     9.0M    12.9M
qscand       2     4.4M   288.4M   288.7M   290.5M
root       188   212.2M     4.3G     4.4G     7.4G
           206   230.1M     4.6G     4.6G     7.7G

To get users memory use by percentage with smem:

root@mail:~# smem -u -p
User     Count     Swap      USS      PSS      RSS
dnslog       1    0.00%    0.00%    0.00%    0.00%
qmaill       4    0.00%    0.00%    0.00%    0.01%
hipo        11    0.17%    0.11%    0.11%    0.16%
qscand       2    0.05%    3.63%    3.63%    3.66%
root       194    2.64%   56.18%   56.77%   95.56%

It is also useful sometimes when you want to debug system overloads caused by external hardware drivers loaded into kernel causing issues to get list of system wide memory use sorted by user


 root@mail:~# smem -w -p
Area                           Used      Cache   Noncache
firmware/hardware             0.00%      0.00%      0.00%
kernel image                  0.00%      0.00%      0.00%
kernel dynamic memory        38.30%     36.01%      2.28%
userspace memory             60.50%      0.98%     59.53%
free memory                   1.20%      1.20%      0.00%

smem is very nice as if you're running it on a Desktop Linux system with Xserver installed you can see also graphical output of memory use by application:

root@desktop-pc:~# smem –bar pid -c "pss uss"


smem can even generate graphical pie charts to visualize better memory use

root@desktop-pc:~# smem -P '^k' –pie=name



If there is a high percentage shown in firmware/hardware this means some buggy module is loaded in kernel eating up memory, to fix it debug further and remove the problematic module.
userspace memory actually shows the percantage of memory out of all server available RAM that is being consumed by applications (non kernel and other system processes which make the system move). You see in above example the kernel itself is consuming about 40% of system overall available memory. 

We all know the SWAP field stands for hard disk drive used as a memory when system is out, but there are 3 fields which smem will report which will be probably unclear for most here is also explanation on what USS / PSS / RSS means?

RSS is the Resident Set Size and is used to show how much memory is allocated to that process and is in RAM. It does not include memory that is swapped out. It does include memory from shared libraries as long as the pages from those libraries are actually in memory. It does include all stack and heap memory too.

There is also PSS (proportional set size). This is a newer measure which tracks the shared memory as a proportion used by the current process. So if there were two processes using the same shared library from before.

USS stands for Unique set size, USS is just the unshared page count, i.e. memory returned when process is killed 

PSS = Proportional set size, (PSS),  is a more meaningful representation of the amount of memory used by libraries and applications in a virtual memory system.  
Because large portions of physical memory are typically shared among multiple applications, the standard measure of memory usage known as resident set size (RSS) will significantly overestimate memory usage. The parameter PSS instead measures each application’s “fair share” of each shared area to give a realistic measure. For most admins checking out the output from RSS (output) should be enough, it will indicate which user and therefore which daemon is eating up all your memory and will help you to catch problematic services which are cause your server to run out of RAM and start swapping to disk.

The brief story of information according to James Gleich – and how we possibly come to be at where we are

Saturday, June 23rd, 2012

We're living at a times, where information has become more valuable than money and gold. Though we're living in a such a wild changing times, still it is not easy to answer in onefold clear way what is information.
The more the world and humanity developed the more meanings information word accepted.
While checking some interesting videos on the net, I've come across a video representing in a very brief form the history of information.

The Story of Information and how we come to be at where we are now

We're living at a times, where information has become more valuable than money and gold. Lest that living in a such a wild changing times, still it is not easy to answer in onefold clear way what is information.
As you can see from the video, the more the world and humanity developed the more meanings information word took up.

At the end end of the short presentational video there are few questions asked:

  • Who coined the term MEME
  • How many zeros are in yottabyte?
  • What is a one thing that can escape a black hole?

I did a quick research on the newly heard words and came to know meme concept. A meme is an "an idea, behavior or style that spreads from person to person within a culture.". The theory lists some interesting information like replication of personality (propagation) from one person to another etc. etc. However the general content of meme's theory puts Christian faith, religions and all kind of people beliefs in the graph of being just a continuous meme's patterns which are transferred from a person to person (generation to generation). Therefore according to memetics (as the meme's science is called), Christian faith and even my Orthodox Christian faith is just an informtion transmitted similarly to genetics information and the laws against:; sexual morality, bestiality, adultery, castration etc. are just a taboo and makes not sense and is just they claim is a information transferred from family generation to next generation until today.

Obviously the whole "theory" of memetics as a science is not true and is just a world view of Mr. Richard Dawkins in a book called The Selfish Gene (1976). It is well to be said Dawkins a follower of the fairy tales of Charle's Darwin's Darwinism.
Modern science however is seriously questioning Darwin's materialist world view. There are plenty of scientific researches which has prooved the existence of spiritual realm and hence some of the claims memetics are standing on a shaky grounds.

Concerning the second question in the video how many zeros are in an yottabyte the answer according to is:

2^80 = 1,208,925,819,614,629,174,706,176 bytes = 1024 zettabytes.

So having in mind the yottabyte equals 1,208,925,819,614,629,174,706,176 bytes if in bytes it would have 2 zeros 🙂

But if by zero is meant the number of values which could become zeroes then the answer would be 24 zeroes. This of course is in bytes in zettabytes the zeroes are only 0 or 3 i.e. (1024 zettabytes) 🙂

Moving back to the 3rd video question What is a one thing that can escape a black hole?. The answer is "WHO KNOWS ??".
The BlackHoles are a matter of science based on a huge theory base, there are plenty of discussions by some scientists still doubting if black holes really exist ,,, even if we assume blackholes exist noone can tell if the blackhole would suck up all matter (including light) or some specific kind of still un-researched matter or energy can get out… In short the question imposed is completely ridiculously funny 😉

GPL Arcade Volleyball – DOS Volleyball oldschool game remake for GNU / Linux

Wednesday, December 21st, 2011

Do you remember that oldschool Arcade VolleyBall game which was so popular on 16 bit (8086 XT) computers.
I remember this game from the years I was 12 years old, back in the days where we the gamers distributed all the DOS games on 360 KB 5.25" diskettes

I was looking over the games available to install on my Debian GNU / Linux today just to be happily suprised to find GPL Arcade Volleyball an identical game remake of the old Arcade Volleyball 8086 classic freeware game.

I remember we spend many hours with friends playing on the old Manifactured in Bulgaria Pravetz 16! computers
During communism and post communism Pravetz was the only computer brand we could buy from the market, as there was limitations on the exported and imported tech equipment within the USSR union.
Pravetz computers are a literal remake of 16 bit IBM 8086 computers and the computer design and integrals was stolen from IBM 16 bit 8086 / 8088 PC architecture

Arcade Volleyball has set a mark on my generation and I believe many people will remember the times this game was a hit with a bit of Nostalgia 😉
In the Game GPL Arcade Volleyball Debian GNU / Linux

Besides being an identical remake of PC Arcade Volleyball , GPL Arcade Volleyball is even expanded as it includes extra features which the original game lacked. Game includes:

  • Network Volleyball client / server Game (up to 4 players)
  • 6 Game Themes which completely change the game look & feel to be modernistic

Here are few GAV screenshots of the different existing game Themes:

Screenshot GPL Arcade VolleyBall Yisus

GPL Arcade Volleyball Yisus theme gameplay GNU / Linux
Yisus GAV Theme gameplay screenshot

GPL Arcade Volleyball Unnamed Theme Screenshot

GPL Arcade Volleyball unnamed Gameplay Theme Debian
GAV – Unnamed Theme Gameplay

Screenshot GAV FABeach gameplay
GAV – FaBeach Theme Gameplay

GAV supports both Window and fullscreen modes. To enable Fullscreen mode, while inside the game use:

Extra -> Fullscreen (Yes)

Saving preferences is also something which I if I recall correctly the original game lacked. This is done by navigating to:

Extra -> Save Preferences

GAV is said to support Joystick in resemblance to the original DOS game, though I've never tested it with a joy.

One of the greatest GAV game (hacks) is the Inverted Theme. Selecting it inverts the order in the game, where the game player becomes the volleyball ball and the ball becomes the player 😉

GPL Arcade Volleyball Arcade Inverted Theme - remake of DOS Volleyball Arcade
GAV does not yet not have a Free / Open / Net BSD port as far as I currently see, anyways since the game is Free Software probably soon a port will be available for BSDs as well.
The default GAV game controls are a bit untraditional. By default the one player game starts you play Volleyball game player positioned on the left.

For left player the default control keys are:

  • z – move player left
  • c – move player right
  • left shift – jump

Right player controls are:

  • Left – left (arrow key)
  • right – right (arrow key)
  • jump – up cursor key

GAV supports also a shortcut key for switching between windowed and full screen game mode by pressing F10
Installing the game on Debian and Ubuntu Linuces is done with:

linux:~# apt-get --yes install gav

Unfortunately gav does not have a definition to be added to GNOME or KDE Applications menus, thus to start the game after installed one has to do it manually by typing either in gnome RUN (Alt+F2) or on command line:

linux:~$ gav

Happy playing 😉

List and get rid of obsolete program core dump files and completely disable core files on FreeBSD

Tuesday, November 1st, 2011

My FreeBSD router has started running out of space, I looked for ways to clean up some space. So I remembered some programs are generating core files while they crash. Some of these files are really huge and ban be from 1Mb to > 1G.

I used find to first list all my produced core files starting from root directory (/) , like so:

find / -name core -exec du -hsc {} ;

Having a list of my core files with the respective core file size and after reviewing, I deleted one by one the cores which were there just taking up space.
It’s a wise idea that core dumps file generation on program crash is completely disabled, however I forgot to disable cores, so I had plenty of the cores – (crash files which are handy for debug purposes and fixing the bug that caused the crash).

Further on I used an /etc/rc.confdumpdev=NO , variable which instructs the kernel to not generate core files on program crash:

freebsd# echo 'dumpdev=NO' >> /etc/rc.conf

Next, to make dumpdev=NO , take affect I rebooted the server:

freebsd# shutdown -r now

There is a way to instruct every server running daemon to know about the newly set dumpdev=NO by restarting each of the services with their init scripts individually, but I was too lazy to do that.

How to convert any internet Webpage to PDF from command line on GNU/Linux

Friday, September 30th, 2011

Linux webpage html to pdf command line convertor wkhtmltopdf

If you're looking for a command line utility to generate PDF file out of any webpage located online you are looking for Wkhtmltopdf
The conversion of webpages to PDF by the tool is done using Apple's Webkit open source render.
wkhtmltopdf is something very useful for web developers, as some webpages has a requirement to produce dynamically pdfs from a remote website locations.
wkhtmltopdf is shipped with Debian Squeeze 6 and latest Ubuntu Linux versions and still not entered in Fedora and CentOS repositories.

To use wkhtmltopdf on Debian / Ubuntu distros install it via apt;

linux:~# apt-get install wkhtmltodpf

Next to convert a webpage of choice use cmd:

linux:~$ wkhtmltopdf pc-freak.net_website.pdf
Loading page (1/2)
Printing pages (2/2)

If the web page to be snapshotted in long few pages a few pages PDF will be generated by wkhtmltopdf
wkhtmltopdf also supports to create the website snapshot with a specified orientation Landscape / Portrait

-O Portrait options to it, like so:

linux:~$ wkhtmltopdf -O Portrait pc-freak.net_website.pdf

wkhtmltopdf has many useful options, here are some of them:

  • Javascript disabling – Disable support for javascript for a website
  • Grayscale pdf generation – Generates PDf in Grayscale
  • Low quality pdf generation – Useful to shrink the output size of generated pdf size
  • Set PDF page size – (A4, Letter etc.)
  • Add zoom to the generated pdf content
  • Support for password HTTP authentication
  • Support to use the tool over a proxy
  • Generation of Table of Content based on titles (only in static version)
  • Adding of Header and Footers (only in static version)

To generate an A4 page with wkhtmltopdf:

wkhtmltopdf -s A4 pc-freak.net_blog.pdf

wkhtmltopdf looks promising but seems a bit buggy still, here is what happened when I tried to create a pdf without setting an A4 page formatting:

linux:$ wkhtmltopdf pc-freak.net_blog.pdf
Loading page (1/2)
OpenOffice path before fixup is '/usr/lib/openoffice' ] 71%
OpenOffice path is '/usr/lib/openoffice'
OpenOffice path before fixup is '/usr/lib/openoffice'
OpenOffice path is '/usr/lib/openoffice'
** (:12057): DEBUG: NP_Initialize
** (:12057): DEBUG: NP_Initialize succeeded
** (:12057): DEBUG: NP_Initialize
** (:12057): DEBUG: NP_Initialize succeeded
** (:12057): DEBUG: NP_Initialize
** (:12057): DEBUG: NP_Initialize succeeded
** (:12057): DEBUG: NP_Initialize
** (:12057): DEBUG: NP_Initialize succeeded
Printing pages (2/2)
Printing pages (2/2)
Segmentation fault

Debian and Ubuntu version of wkhtmltopdf does not support TOC generation and Adding headers and footers, to support it one has to download and install the static version of wkhtmltopdf
Using the static version of the tool is also the only option for anyone on Fedora or any other RPM based Linux distro.

How to fix “Could not verify this certificate for unknown reasons” SSL certificate lighttpd troubles

Tuesday, June 28th, 2011

Firefox SSL Pro could not verify for uknown reasons solve error

I’ve been issuing new wildcard multiple SSL certificate to renew an expiring ones. After I completed the new certificate setup manually on the server (a CentOS 5.5 Final running SoluSVM Pro – Virtual Private Manager), I launched Firefox to give a try if the certificate is properly configured.

Instead of my expectations that the browser would just accept the certificate without spitting any error messages and all will be fine, insetad I got error with the just installed certificate and thus the browser failed to report the SSL cert is properly authenticated.

The company used to issue the SSL certificate is GlobeSSL – , it was quite “hassle”, with the tech support as the first certficate generated by globessl was generation based on SSL key file with 4096 key encryption.

As the first issued Authenticated certificate generated by GlobeSSL was not good further on about a week time was necessery to completethe required certificate reissuing ….

It wasn’t just GlobeSSL’s failure, as there were some spam filters on my side that was preventing some of GlobeSSL emails to enter normally, however what was partially their fault as they haven’t made their notification and confirmation emails to pass by a mid-level strong anti-spam filter…

Anyways my overall experience with GlobeSSL certificate reissue and especially their technical support is terrible.
To make a parallel, issuing certificates with GoDaddy is a way more easier and straight forward.

Now let me come back to the main certificate error I got in Firefox …

A bit of further investigation with the cert failure, has led me to the error message which tracked back to the newly installed SSL certificate issues.
In order to find the exact cause of the SSL certificate failure in Firefox I followed to the menus:

Tools -> Page Info -> Security -> View Certificate

Doing so in the General browser tab, there was the following error:

Could not verify this certificate for unknown reasons

The information on Could not verify this certificate for unknown reasons on the internet was very mixed and many people online suggested many possible causes of the issue, so I was about to loose myself.

Everything with the certificate seemed to be configured just fine in lighttpd, all the GlobeSSL issued .cer and .key file as well as the ca bundle were configured to be read used in lighttpd in it’s configuration file:

Here is a section taken from lighttpd.conf file which did the SSL certificate cert and key file configuration:

$SERVER["socket"] == "" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/wildcard.mydomain.bundle"

The file /etc/lighttpd/ssl/wildcard.mydomain.bundle was containing the content of both the .key (generated on my server with openssl) and the .cer file (issued by GlobeSSL) as well as the CA bundle (by GlobeSSL).

Even though all seemed to be configured well the SSL error Could not verify this certificate for unknown reasons was still present in the browser.

GlobeSSL tech support suggested that I try their Web key matcher interface to verify that everything is fine with my certificate and the cert key. Thanks to this interface I figured out all seemed to be fine with the issued certificate itself and something else should be causing the SSL oddities.
I was further referred by GlobeSSL tech support for another web interface to debug errors with newly installed SSL certificates.
These interface is called Verify and Validate Installed SSL Certificate and is found here

Even though this SSL domain installation error report and debug tool did some helpful suggestions, it wasn’t it that helped me solve the issues.

What helped was First the suggestion made by one of the many tech support guy in GlobeSSL who suggested something is wrong with the CA Bundle and on a first place the documentation on SolusVM’s wiki – .
Cccording to SolusVM’s documentation lighttpd.conf‘s file had to have one extra line pointing to a seperate file containing the issued CA bundle (which is a combined version of the issued SSL authority company SSL key and certificate).
The line I was missing in lighttpd.conf (described in dox), looked like so: = “/usr/local/solusvm/ssl/gd_bundle.crt”

Thus to include the directive I changed my previous lighttpd.conf to look like so:

$SERVER["socket"] == "" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/wildcard.mydomain.bundle" = "/etc/lighttpd/ssl/server.bundle.crt"

Where server.bundle.crt contains an exact paste from the certificate (CA Bundle) mailed by GlobeSSL.

There was a couple of other ports on which an SSL was configured so I had to include these configuration directive everywhere in my conf I had anything related to SSL.

Finally to make the new settings take place I did a lighttpd server restart.

[root@centos ssl]# /etc/init.d/lighttpd restart
Stopping lighttpd: [ OK ]
Starting lighttpd: [ OK ]

After lighttpd reinitiated the error was gone! Cheers ! 😉

Install grsecurity kernel security from binary package (without kernel recompile) on Debian and Ubuntu

Monday, July 26th, 2010

GRsecurity is since long time known that it is a next generation armouring agains 0 day local kernel exploits as well as variousof other cracker attacks.
Grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GNU GPL.
GRSecurity is linux kernel patch which has to be applied to the kernel before compile time. However we’ve been lucky and somebody has taken the time and care to prepare linux image binary deb packages for Debian and Ubuntu .

Some of the key grsecurity features are :

  • An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
  • Change root (chroot) hardening
  • /tmp race prevention
  • Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
  • Prevention of arbitrary code execution in the kernel
  • Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
  • A restriction that allows a user to only view his/her processes
  • Security alerts and audits that contain the IP address of the person causing the alert

To install from the grsecurity patched kernel image repository use the following steps:

1. Include in your /etc/apt/sources.list

deb kernel-security/
deb kernel-security/

Directly from the bash command line execute:

debian:~# echo "deb kernel-security/" >> /etc/apt/sources.list
debian:~# echo "deb kernel-security/" >> /etc/apt/sources.list

2. Add the repository gpg key to the trusted repositories key ring

Download the repository’s gpg key , check it (it has been signed with the repository owner GPG key )

Thence from to include the gpg key to the trusted repos key issue:

debian:~# apt-key add kernel-security.asc

3. Install the linux-image-grsec package itself

Currently to install on my x86_amd64 Debian Squeeze/Sid and possibly on Debian Lenny I’ve issued:

debian:~# apt-get update
debian:~# apt-get install linux-image-

Now simply restarting your system and choosing the Linux kernel patched with the GRsecurity kernel patch from Grub should enable you to start using the grsecurity patched kernel.
Though this tutorial is targetting Debian it’s very likely that the grsecurity hardened kernel installation on Debian will be analogous.