Summary: | net-mail/checkpassword-pam triggering RLIMIT_AS resource overstep with grsecurity | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | James Le Cuirot <chewi> |
Component: | Current packages | Assignee: | No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | jstein, net-mail+disabled |
Priority: | High | Keywords: | PATCH |
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
URL: | http://checkpasswd-pam.sourceforge.net/ | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | patch to increase the soft limit in qmail |
Description
James Le Cuirot
2008-07-20 10:29:11 UTC
Oh yeah and I've tried remerging checkpassword-pam, checkpassword, pam and glibc. No dice. I realised that there is a SOFTLIMIT_OPTS setting in conf-common. Changing this from 16000000 to 32000000 solved the problem. Maybe it needs to be higher for 64-bit systems? That wasn't the end of the story though. I also had to set checkpassword-pam as SUID root before it would successfully authenticate me. This has been reported in other bugs but not yet fixed. It makes sense, you need root access to read /etc/shadow, right? Created attachment 342568 [details]
patch to increase the soft limit in qmail
I ran into this on a x86/32bit system Portage 2.1.11.52 (hardened/linux/x86, gcc-4.6.3, glibc-2.15-r3, 3.8.2-hardened i686) ================================================================= System uname: Linux-3.8.2-hardened-i686-Intel-R-_Xeon-TM-_MP_CPU_2.50GHz-with-gentoo-2.1 KiB Mem: 1033128 total, 861556 free KiB Swap: 0 total, 0 free Timestamp of tree: Sat, 09 Mar 2013 01:00:01 +0000 ld GNU ld (GNU Binutils) 2.22 app-shells/bash: 4.2_p37 dev-lang/python: 2.7.3-r2, 3.2.3 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.69 sys-devel/automake: 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.6 (virtual/os-headers) sys-libs/glibc: 2.15-r3 From dmesg, lots of others, this was one of the highest [ 3074.673166] grsec: From 208.22.99.38: denied resource overstep by requesting 112640000 for RLIMIT_AS against limit 16000000 for /var/qmail/bin/qmail-smtpd[qmail-smtpd:20748] uid/euid:201/201 gid/egid:200/200, parent /usr/bin/tcpserver[tcpserver:926] uid/euid:201/201 gid/egid:200/200 I might have had one higher, so I just added another 0 to the end, to make the limit much higher. I have not hit it since increasing it. |