ntpd-4.2.8 is continuously being killed by grsec on gentoo-hardened due to resource overstep (RLIMIT_MEMLOCK). If I downgrade to net-misc/ntp-4.2.6_p5-r11 I do not see this issue. My current kernel is 3.17.7-hardened-r1. This message repeats in the log until being throttled: kernel: grsec: From 84.220.77.86: denied resource overstep by requesting 125427712 for RLIMIT_MEMLOCK against limit 33554432 for /usr/sbin/ntpd[ntpd:15328] uid/euid:123/123 gid/egid:123/123, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 Reproducible: Always
Please post your `emerge --info net-misc/ntp' output in a comment.
Looks like bug #534158, but there no memory limit is in place.
(In reply to Jeroen Roovers from comment #1) > Please post your `emerge --info net-misc/ntp' output in a comment. Portage 2.2.15 (python 2.7.9-final-0, hardened/linux/amd64, gcc-4.8.4, glibc-2.20-r1, 3.17.7-hardened-r1 x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.17.7-hardened-r1-x86_64-Intel-R-_Xeon-R-_CPU_E3-1265L_V2_@_2.50GHz-with-gentoo-2.2 KiB Mem: 16273844 total, 13016144 free KiB Swap: 15624188 total, 15624188 free Timestamp of tree: Wed, 07 Jan 2015 11:45:01 +0000 sh bash 4.3_p33 ld GNU ld (Gentoo 2.24 p1.4) 2.24 app-shells/bash: 4.3_p33 dev-java/java-config: 2.2.0 dev-lang/perl: 5.20.1-r4 dev-lang/python: 2.7.9-r1, 3.4.2 dev-util/cmake: 3.0.2 dev-util/pkgconfig: 0.28-r2 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.13.6 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.69 sys-devel/automake: 1.11.6-r1, 1.13.4 sys-devel/binutils: 2.24-r3 sys-devel/gcc: 4.8.4 sys-devel/gcc-config: 1.8 sys-devel/libtool: 2.4.4 sys-devel/make: 4.1-r1 sys-kernel/linux-headers: 3.18 (virtual/os-headers) sys-libs/glibc: 2.20-r1 Repositories: gentoo dholm-overlay ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -mtune=native -O3 -ggdb -fuse-linker-plugin -flto=9 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=native -mtune=native -O3 -ggdb -fuse-linker-plugin -flto=9 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--keep-going" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://mirror.mdfnet.se/gentoo/ http://ftp.df.lth.se/pub/gentoo/" LANG="en_US.UTF-8" LC_ALL="" LDFLAGS="-Wl,-O3 -Wl,--hash-style=gnu -Wl,--as-needed -Wl,--sort-common" MAKEOPTS="-j9" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.fi.gentoo.org/gentoo-portage" USE="acl amd64 audit auth-dns avx berkdb bzip2 caps cli cracklib crypt curl cxx dbus dnssec doc dri fortran gdbm geoip gif gmp hardened hscolour iconv icu idn ipv6 jbig jpeg jpeg2k justify lzma lzo mmx mmxext modules multilib ncurses netlink nfs nntp nptl nss ntp numa oci openmp pam pax_kernel pcap pcre png python readline script session slang smi snmp socks5 sqlite sse sse2 sse3 sse4_1 ssh ssl ssse3 systemtap tcpd tftp threads tiff tls tools udev unicode urandom usb utils xattr xtpax zeroconf zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CURL_SSL="nss" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en sv" OFFICE_IMPLEMENTATION="libreoffice" OPENMPI_FABRICS="knem" OPENMPI_RM="slurm" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" QEMU_SOFTMMU_TARGETS="arm i386 mips64 x86_64" QEMU_USER_TARGETS="arm i386 mips64 x86_64" RUBY_TARGETS="ruby19 ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USE_PYTHON="2.7" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= net-misc/ntp-4.2.8-r2 was built with the following: USE="caps ipv6 parse-clocks snmp ssl zeroconf -debug -openntpd -samba (-selinux) -vim-syntax" ABI_X86="64"
(In reply to Jeroen Roovers from comment #2) > Looks like bug #534158, but there no memory limit is in place. The netmask on my loopback interface is 255.0.0.0 though. # ip addr show dev lo 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever
For me ntpd isn't killed by this, but grsec does log these messages. According to bug 533232, comment 4 this can be fixed by adding an 'rlimit memlock 128' directive to /etc/ntpd.conf. This works, however if ntpd.conf is being generated by netifrc there doesn't seem to be a way to have it add this line. Should there be an enhancement request filed against it for adding extra directives?
This still exists in net-misc/ntp-4.2.8-r1. Adding the rlimit line as described by Kevin seems to work.
I can confirm this bug. (In reply to Kevin Bryan from comment #5) > For me ntpd isn't killed by this, but grsec does log these messages. > According to bug 533232, comment 4 this can be fixed by adding an 'rlimit > memlock 128' directive to /etc/ntpd.conf. This works, however if ntpd.conf > is being generated by netifrc there doesn't seem to be a way to have it add > this line. Should there be an enhancement request filed against it for > adding extra directives? Afaik, the problem comes from the default behaviour of the DHCP client. I've used modules="dhclient" # Prefere net-misc/dhcp over net-misc/dhcpcd config_eth0="dhcp" dhcp_eth0="nontp" in /etc/conf.d/net to work around this problem. Maybe something similar is possible when using net-misc/dhcpcd.
I don't use DHCP on my hardened install. Making the change there would only be a stopgap. Why net-misc/ntp is asking for so much memory on startup should be the real issue. I believe there may have been a patch for this, but it doesn't appear to be applied anymore. Referencing bug 117910 and bug 99713.
*** This bug has been marked as a duplicate of bug 533232 ***
