Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Marc Ballarin <Ballarin.Marc@...>
Subject: Re: grsec Resource logging
Date: Sun, 14 Aug 2005 13:50:26 +0200
On Sun, 14 Aug 2005 12:53:28 +0200
Christoph Gysin <cgysin@...> wrote:

> I'm playing around with grsecurity. Now I get lots of messages like this:
> 
> grsec: denied resource overstep by requesting 7499776 for RLIMIT_MEMLOCK against limit 32768 for 
> /usr/sbin/ntpd[ntpd:8525] uid/euid:123/123 gid/egid:123/123, parent /sbin/init[init:1] uid/euid:0/0 
> gid/egid:0/0
> 
> As far as I understand, ntpd is trying to allocate more memory than it is allowed due to resource 
> limits. The limit seems to be 32M while ntpd tries to allocate 7G (!) of RAM?

It's trying to *lock* memory, i.e. make it non-swapable. By default,
Linux allows a process (root-owned) to lock up to 32kB of memory  (those
32768 Bytes above).

(Since Linux 2.6.9 even regular users can look up to 32kB of memory. This
allows gpg  to run securely without root privileges.)

The question is, why ntpd is trying to raise that limit to >7MB, and if
that is really necessary (see ntpd/ntpd.c).

> 
> What is wrong here?

You probably need to configure some rules to allow ntpd to change those
limits. I don't know how this is done, though.

Regards
-- 
gentoo-security@g.o mailing list


References:
grsec Resource logging
-- Christoph Gysin
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: grsec Resource logging
Next by thread:
Re: grsec Resource logging
Previous by date:
Re: grsec Resource logging
Next by date:
Re: grsec Resource logging


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.