Heiko Zuerker
2003-Apr-27 03:05 UTC
[dovecot] dovecot and grsecurity (problem with resource limits)
Howdy folks ! I just added Dovecot as a standard package to Devil-Linux and ran into a problem with resource limits. Grsecurity (http://www.grsecurity.net) is used in DL to prevent problems with common exploits, it also reports violations of rlimits. The following messages show up in the log, but it seems that the IMAP Server works fine: Apr 26 19:20:04 src at gate imap-login: Login: hz [192.168.0.11] Apr 26 19:20:05 src at gate kernel: grsec: attempted resource overstep by requesting 37 for RLIMIT_NPROC against limit 0 by (dovecot:10246) UID(0) EUID(0), parent (dovecot:634) UID(0) EUID(0) Apr 26 19:22:18 src at gate kernel: grsec: attempted resource overstep by requesting 37 for RLIMIT_NPROC against limit 0 by (dovecot:19802) UID(0) EUID(0), parent (dovecot:634) UID(0) EUID(0) Apr 26 19:22:18 src at gate imap-login: Login: hz [192.168.0.11] Apr 26 19:26:36 src at gate syslog-ng[606]: STATS: dropped 0 Apr 26 19:28:19 src at gate kernel: grsec: attempted resource overstep by requesting 33 for RLIMIT_NPROC against limit 0 by (dovecot:16011) UID(0) EUID(0), parent (dovecot:634) UID(0) EUID(0) How should we proceed to analyze/fix this problem? Thanks! Heiko
Timo Sirainen
2003-Apr-27 04:19 UTC
[dovecot] Re: dovecot and grsecurity (problem with resource limits)
On Sun, 2003-04-27 at 03:05, Heiko Zuerker wrote:> Apr 26 19:20:04 src at gate imap-login: Login: hz [192.168.0.11] > Apr 26 19:20:05 src at gate kernel: grsec: attempted resource overstep by > requesting 37 for RLIMIT_NPROC against limit 0 by (dovecot:10246) UID(0) > EUID(0), parent (dovecot:634) UID(0) EUID(0)Openwall kernel had the same problem. Hmm. I'd like to make sure that imap-login can't fork(), but RLIMIT_NPROC seems to be total number of processes. When does it get enforced? Immediately at setrlimit() or at exec()? Does this work: Index: src/login-common/main.c ==================================================================RCS file: /home/cvs/dovecot/src/login-common/main.c,v retrieving revision 1.9 diff -u -r1.9 main.c --- src/login-common/main.c 6 Mar 2003 21:44:31 -0000 1.9 +++ src/login-common/main.c 27 Apr 2003 01:17:46 -0000 @@ -4,6 +4,7 @@ #include "ioloop.h" #include "lib-signals.h" #include "restrict-access.h" +#include "restrict-process-size.h" #include "process-title.h" #include "fd-close-on-exec.h" #include "auth-connection.h" @@ -129,6 +130,9 @@ static void drop_privileges(const char *name) { + /* make sure we can't fork() */ + restrict_process_size((unsigned int)-1, 0); + /* Log file or syslog opening probably requires roots */ open_logfile(name); cvs server: Diffing src/master Index: src/master/login-process.c ==================================================================RCS file: /home/cvs/dovecot/src/master/login-process.c,v retrieving revision 1.40 diff -u -r1.40 login-process.c --- src/master/login-process.c 15 Apr 2003 16:58:48 -0000 1.40 +++ src/master/login-process.c 27 Apr 2003 01:17:47 -0000 @@ -479,7 +479,7 @@ i_fatal("chdir(%s) failed: %m", set->login_dir); } - restrict_process_size(group->set->process_size, 0); + restrict_process_size(group->set->process_size, (unsigned int)-1); /* make sure we don't leak syslog fd, but do it last so that any errors above will be logged */