Mailing List Archive

On Sun, 14 Aug 2005 12:53:28 +0200
Christoph Gysin <cgysin@gmx.ch> wrote:

> I'm playing around with grsecurity. Now I get lots of messages like this:
>
> grsec: denied resource overstep by requesting 7499776 for RLIMIT_MEMLOCK against limit 32768 for
> /usr/sbin/ntpd[ntpd:8525] uid/euid:123/123 gid/egid:123/123, parent /sbin/init[init:1] uid/euid:0/0
> gid/egid:0/0
>
> As far as I understand, ntpd is trying to allocate more memory than it is allowed due to resource
> limits. The limit seems to be 32M while ntpd tries to allocate 7G (!) of RAM?

It's trying to *lock* memory, i.e. make it non-swapable. By default,
Linux allows a process (root-owned) to lock up to 32kB of memory (those
32768 Bytes above).

(Since Linux 2.6.9 even regular users can look up to 32kB of memory. This
allows gpg to run securely without root privileges.)

The question is, why ntpd is trying to raise that limit to >7MB, and if
that is really necessary (see ntpd/ntpd.c).

>
> What is wrong here?

You probably need to configure some rules to allow ntpd to change those
limits. I don't know how this is done, though.

Regards
--
gentoo-security@gentoo.org mailing list

On Sunday 14 August 2005 10:53, Christoph Gysin wrote:
> I'm playing around with grsecurity. Now I get lots of messages like this:
>
> grsec: denied resource overstep by requesting 7499776 for RLIMIT_MEMLOCK
> against limit 32768 for /usr/sbin/ntpd[ntpd:8525] uid/euid:123/123
> gid/egid:123/123, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
>
> As far as I understand, ntpd is trying to allocate more memory than it is
> allowed due to resource limits. The limit seems to be 32M while ntpd tries
> to allocate 7G (!) of RAM?

the same happens to me. I haven't given it much importance because ntpd works
ok even with grsec interference.

> What is wrong here?

still I'd also like to clarify this.

regards,
pedro venda.
--

Pedro João Lopes Venda
email: pjvenda < at > arrakis.dhis.org
http://arrakis.dhis.org

On Sun, 14 Aug 2005 12:01:14 +0000
Pedro Venda <pjvenda@arrakis.dhis.org> wrote:

>
> the same happens to me. I haven't given it much importance because ntpd works
> ok even with grsec interference.
>
> > What is wrong here?
>
> still I'd also like to clarify this.

I think this locking is done in order to ensure that ntpd is able to
adjust time even under heavy load.

So, if ntpd can't lock itself into memory, time-keeping might become
inaccurate when ntpd is paged out on a loaded system.

Regards
--
gentoo-security@gentoo.org mailing list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christoph Gysin wrote:
> I'm playing around with grsecurity. Now I get lots of messages like this:
>
> grsec: denied resource overstep by requesting 7499776 for RLIMIT_MEMLOCK
> against limit 32768 for /usr/sbin/ntpd[ntpd:8525] uid/euid:123/123
> gid/egid:123/123, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
>
> As far as I understand, ntpd is trying to allocate more memory than it
> is allowed due to resource limits. The limit seems to be 32M while ntpd
> tries to allocate 7G (!) of RAM?
>
> What is wrong here?
>
> Christoph

[Bug 99713] ntpd hits RLIMIT_MEMLOCK limit
http://bugs.gentoo.org/show_bug.cgi?id=99713
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC/3ynZwjIiODIZ4oRAhAkAJ9I161k8GiNNeMPCxtUoIBFbRRpoQCeMsxC
BhndJbgzQi1+d0lwfzyrP3Y=
=hpR5
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list