Gentoo Archives: gentoo-security

From: Marc Ballarin <Ballarin.Marc@×××.de>
To: gentoo-security@l.g.o
Cc: cgysin@×××.ch
Subject: Re: [gentoo-security] grsec Resource logging
Date: Sun, 14 Aug 2005 11:58:27
Message-Id: 20050814135026.49cb1075.Ballarin.Marc@gmx.de
In Reply to: [gentoo-security] grsec Resource logging by Christoph Gysin
1 On Sun, 14 Aug 2005 12:53:28 +0200
2 Christoph Gysin <cgysin@×××.ch> wrote:
3
4 > I'm playing around with grsecurity. Now I get lots of messages like this:
5 >
6 > grsec: denied resource overstep by requesting 7499776 for RLIMIT_MEMLOCK against limit 32768 for
7 > /usr/sbin/ntpd[ntpd:8525] uid/euid:123/123 gid/egid:123/123, parent /sbin/init[init:1] uid/euid:0/0
8 > gid/egid:0/0
9 >
10 > As far as I understand, ntpd is trying to allocate more memory than it is allowed due to resource
11 > limits. The limit seems to be 32M while ntpd tries to allocate 7G (!) of RAM?
12
13 It's trying to *lock* memory, i.e. make it non-swapable. By default,
14 Linux allows a process (root-owned) to lock up to 32kB of memory (those
15 32768 Bytes above).
16
17 (Since Linux 2.6.9 even regular users can look up to 32kB of memory. This
18 allows gpg to run securely without root privileges.)
19
20 The question is, why ntpd is trying to raise that limit to >7MB, and if
21 that is really necessary (see ntpd/ntpd.c).
22
23 >
24 > What is wrong here?
25
26 You probably need to configure some rules to allow ntpd to change those
27 limits. I don't know how this is done, though.
28
29 Regards
30 --
31 gentoo-security@g.o mailing list