1 |
On Sun, 14 Aug 2005 12:53:28 +0200 |
2 |
Christoph Gysin <cgysin@×××.ch> wrote: |
3 |
|
4 |
> I'm playing around with grsecurity. Now I get lots of messages like this: |
5 |
> |
6 |
> grsec: denied resource overstep by requesting 7499776 for RLIMIT_MEMLOCK against limit 32768 for |
7 |
> /usr/sbin/ntpd[ntpd:8525] uid/euid:123/123 gid/egid:123/123, parent /sbin/init[init:1] uid/euid:0/0 |
8 |
> gid/egid:0/0 |
9 |
> |
10 |
> As far as I understand, ntpd is trying to allocate more memory than it is allowed due to resource |
11 |
> limits. The limit seems to be 32M while ntpd tries to allocate 7G (!) of RAM? |
12 |
|
13 |
It's trying to *lock* memory, i.e. make it non-swapable. By default, |
14 |
Linux allows a process (root-owned) to lock up to 32kB of memory (those |
15 |
32768 Bytes above). |
16 |
|
17 |
(Since Linux 2.6.9 even regular users can look up to 32kB of memory. This |
18 |
allows gpg to run securely without root privileges.) |
19 |
|
20 |
The question is, why ntpd is trying to raise that limit to >7MB, and if |
21 |
that is really necessary (see ntpd/ntpd.c). |
22 |
|
23 |
> |
24 |
> What is wrong here? |
25 |
|
26 |
You probably need to configure some rules to allow ntpd to change those |
27 |
limits. I don't know how this is done, though. |
28 |
|
29 |
Regards |
30 |
-- |
31 |
gentoo-security@g.o mailing list |