Ballarin.Marc at gmx
Aug 14, 2005, 4:50 AM
Post #2 of 5
On Sun, 14 Aug 2005 12:53:28 +0200
Christoph Gysin <cgysin [at] gmx> wrote:
> I'm playing around with grsecurity. Now I get lots of messages like this:
> grsec: denied resource overstep by requesting 7499776 for RLIMIT_MEMLOCK against limit 32768 for
> /usr/sbin/ntpd[ntpd:8525] uid/euid:123/123 gid/egid:123/123, parent /sbin/init[init:1] uid/euid:0/0
> As far as I understand, ntpd is trying to allocate more memory than it is allowed due to resource
> limits. The limit seems to be 32M while ntpd tries to allocate 7G (!) of RAM?
It's trying to *lock* memory, i.e. make it non-swapable. By default,
Linux allows a process (root-owned) to lock up to 32kB of memory (those
32768 Bytes above).
(Since Linux 2.6.9 even regular users can look up to 32kB of memory. This
allows gpg to run securely without root privileges.)
The question is, why ntpd is trying to raise that limit to >7MB, and if
that is really necessary (see ntpd/ntpd.c).
> What is wrong here?
You probably need to configure some rules to allow ntpd to change those
limits. I don't know how this is done, though.
gentoo-security [at] gentoo mailing list