Gentoo Archives: gentoo-security

From: Marc Ballarin <Ballarin.Marc@×××.de>
To: gentoo-security@l.g.o
Cc: cgysin@×××.ch
Subject: Re: [gentoo-security] grsec Resource logging
Date: Sun, 14 Aug 2005 11:58:27
In Reply to: [gentoo-security] grsec Resource logging by Christoph Gysin
On Sun, 14 Aug 2005 12:53:28 +0200
Christoph Gysin <cgysin@×××.ch> wrote:

> I'm playing around with grsecurity. Now I get lots of messages like this: > > grsec: denied resource overstep by requesting 7499776 for RLIMIT_MEMLOCK against limit 32768 for > /usr/sbin/ntpd[ntpd:8525] uid/euid:123/123 gid/egid:123/123, parent /sbin/init[init:1] uid/euid:0/0 > gid/egid:0/0 > > As far as I understand, ntpd is trying to allocate more memory than it is allowed due to resource > limits. The limit seems to be 32M while ntpd tries to allocate 7G (!) of RAM?
It's trying to *lock* memory, i.e. make it non-swapable. By default, Linux allows a process (root-owned) to lock up to 32kB of memory (those 32768 Bytes above). (Since Linux 2.6.9 even regular users can look up to 32kB of memory. This allows gpg to run securely without root privileges.) The question is, why ntpd is trying to raise that limit to >7MB, and if that is really necessary (see ntpd/ntpd.c).
> > What is wrong here?
You probably need to configure some rules to allow ntpd to change those limits. I don't know how this is done, though. Regards -- gentoo-security@g.o mailing list