[dovecot] Re: dovecot and grsecurity (problem with resource limits)

Sun Apr 27 04:19:31 EEST 2003

On Sun, 2003-04-27 at 03:05, Heiko Zuerker wrote:
> Apr 26 19:20:04 src at gate imap-login: Login: hz [192.168.0.11]
> Apr 26 19:20:05 src at gate kernel: grsec: attempted resource overstep by 
> requesting 37 for RLIMIT_NPROC against limit 0 by (dovecot:10246) UID(0) 
> EUID(0), parent (dovecot:634) UID(0) EUID(0)

Openwall kernel had the same problem. Hmm. I'd like to make sure that
imap-login can't fork(), but RLIMIT_NPROC seems to be total number of
processes. When does it get enforced? Immediately at setrlimit() or at
exec()? Does this work:

Index: src/login-common/main.c
===================================================================
RCS file: /home/cvs/dovecot/src/login-common/main.c,v
retrieving revision 1.9
diff -u -r1.9 main.c

--- src/login-common/main.c     6 Mar 2003 21:44:31 -0000       1.9
+++ src/login-common/main.c     27 Apr 2003 01:17:46 -0000
@@ -4,6 +4,7 @@
 #include "ioloop.h"
 #include "lib-signals.h"
 #include "restrict-access.h"
+#include "restrict-process-size.h"
 #include "process-title.h"
 #include "fd-close-on-exec.h"
 #include "auth-connection.h"
@@ -129,6 +130,9 @@
 
 static void drop_privileges(const char *name)
 {
+       /* make sure we can't fork() */
+       restrict_process_size((unsigned int)-1, 0);
+
        /* Log file or syslog opening probably requires roots */
        open_logfile(name);
 
cvs server: Diffing src/master
Index: src/master/login-process.c
===================================================================
RCS file: /home/cvs/dovecot/src/master/login-process.c,v
retrieving revision 1.40
diff -u -r1.40 login-process.c
--- src/master/login-process.c  15 Apr 2003 16:58:48 -0000      1.40
+++ src/master/login-process.c  27 Apr 2003 01:17:47 -0000
@@ -479,7 +479,7 @@
                        i_fatal("chdir(%s) failed: %m", set->login_dir);
        }
 
-       restrict_process_size(group->set->process_size, 0);
+       restrict_process_size(group->set->process_size, (unsigned int)-1);
 
        /* make sure we don't leak syslog fd, but do it last so that
           any errors above will be logged */


