On Sun, 2003-04-27 at 03:05, Heiko Zuerker wrote:
Apr 26 19:20:04 src@gate imap-login: Login: hz [192.168.0.11] Apr 26 19:20:05 src@gate kernel: grsec: attempted resource overstep by requesting 37 for RLIMIT_NPROC against limit 0 by (dovecot:10246) UID(0) EUID(0), parent (dovecot:634) UID(0) EUID(0)
Openwall kernel had the same problem. Hmm. I'd like to make sure that imap-login can't fork(), but RLIMIT_NPROC seems to be total number of processes. When does it get enforced? Immediately at setrlimit() or at exec()? Does this work: Index: src/login-common/main.c =================================================================== RCS file: /home/cvs/dovecot/src/login-common/main.c,v retrieving revision 1.9 diff -u -r1.9 main.c --- src/login-common/main.c 6 Mar 2003 21:44:31 -0000 1.9 +++ src/login-common/main.c 27 Apr 2003 01:17:46 -0000 @@ -4,6 +4,7 @@ #include "ioloop.h" #include "lib-signals.h" #include "restrict-access.h" +#include "restrict-process-size.h" #include "process-title.h" #include "fd-close-on-exec.h" #include "auth-connection.h" @@ -129,6 +130,9 @@ static void drop_privileges(const char *name) { + /* make sure we can't fork() */ + restrict_process_size((unsigned int)-1, 0); + /* Log file or syslog opening probably requires roots */ open_logfile(name); cvs server: Diffing src/master Index: src/master/login-process.c =================================================================== RCS file: /home/cvs/dovecot/src/master/login-process.c,v retrieving revision 1.40 diff -u -r1.40 login-process.c --- src/master/login-process.c 15 Apr 2003 16:58:48 -0000 1.40 +++ src/master/login-process.c 27 Apr 2003 01:17:47 -0000 @@ -479,7 +479,7 @@ i_fatal("chdir(%s) failed: %m", set->login_dir); } - restrict_process_size(group->set->process_size, 0); + restrict_process_size(group->set->process_size, (unsigned int)-1); /* make sure we don't leak syslog fd, but do it last so that any errors above will be logged */