grsecurity forums

[petlab]

I am using grsec and gradm v 2.1.3-200503070918, hardened-sources 2.6.11-hardened-r1 with dual Opteron cpus, PaX and Gentoo linux. I noticed this problem. Suggestions on how to fix it? Where do I start looking? Thanks so much.

Code: Select all

grsec: denied resource overstep by requesting 13258752 for
RLIMIT_MEMLOCK against limit 32768 for /usr/sbin/ntpd[ntpd:25306] uid/euid:123/123 gid/egid:123/123, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

[petlab]

Well, I found one item on the internet to help here. Suggest using openntp instead of ntp. I did, and now it works, except my timezone and things are messed up. I did get that sort of fixed, now works good.

[humbletech99]

I've also had this problem but I don't want to switch to openntp because this is a production server and I shouldn't really be messing with it now. Is there any way of just allowing the ntpd process to take the 7Mb it's asking for?

maybe using gradm or something?

[fonya]

I've also had this problem but I don't want to switch to openntp because this is a production server and I shouldn't really be messing with it now.

I switched too to openntpd without any harm. I suggest, take it You too

Just give it a try... on a non-prodictive-server?

[PaX Team]

I've also had this problem but I don't want to switch to openntp because this is a production server and I shouldn't really be messing with it now. Is there any way of just allowing the ntpd process to take the 7Mb it's asking for?

maybe using gradm or something?

i thought we had discussed this here or on the mailing list, but i can't find anything now, so here's the quick rundown. about a year ago RLIMIT_MEMLOCK handling was changed in vanilla linux to allow unprivileged users to lock a few pages in memory (previously it required root). along with this change they also changed the default rlimits (that apply to root as well), in particular, it became something like 32 pages (vs. unlimited before). therefore processes that were started as root but dropped privileges later suddenly found themselves with a limited amount of lockable memory, this is what you're seeing here. the proper fix is to increase the resource limit for root (via PAM or whatever) or change the application to increase it on its own before it drops privileges.

[Raf256]

How to set it up, I thought /etc/security/ulimits.conf will do?
But I already had:

Code: Select all

root              hard  core 102400 # 100 mb
root              soft  core 102400

*             hard  core 0
*             soft  core 0
*             hard  data 409600 # 400m
*             soft  data 409600
*             hard  memlock 10240 # 10 mb
*             soft  memlock 10240
*             hard  nofile  1024
*             soft  nofile  1024
*             hard  locks 1024
*             soft  locks 1024
*             hard  rss  40960 # 40 mb
*             soft  rss  40960
*             hard  stack  65536 # 64 mb
*             soft  stack  65536
*             hard  nproc  800
*             soft  nproc  400


Shouldnt that help?

How to change it from the program, just by calling ulimit?

[bani]

on FC4 put this in your /etc/sysconfig/ntpd

# Drop root to id 'ntp:ntp' by default. Requires kernel >= 2.2.18.
ulimit -l 20000
OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"