Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
spamdyke on hardened - RLIMIT_AS
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42576
Location: 56N 3W

PostPosted: Sun Apr 26, 2015 10:48 pm    Post subject: spamdyke on hardened - RLIMIT_AS Reply with quote

Team,

I am trying to run spamdyke in front of qmail on a gentoo-hardened system. Its a KVM but that probably doesn't matter.

dmesg tells me
Code:
grsec: From 212.23.1.5: denied resource overstep by requesting 16228352 for RLIMIT_AS against limit 16000000 for /usr/bin/spamdyke[spamdyke:1626]

and /var/log/qmail/qmail-smtpd/current tells
Code:
@40000000553d65a02edc836c /usr/bin/spamdyke: error while loading shared libraries: libz.so.1: failed to map segment from shared object.
So it looks like spamdyke needs more that a 16Mb address space.
spamdyke is made up of
Code:
# lddtree /usr/bin/spamdyke
spamdyke => /usr/bin/spamdyke (interpreter => /lib64/ld-linux-x86-64.so.2)
    libssl.so.1.0.0 => /usr/lib64/libssl.so.1.0.0
    libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0
        libdl.so.2 => /lib64/libdl.so.2
        libz.so.1 => /lib64/libz.so.1
    libc.so.6 => /lib64/libc.so.6


RLIMIT_AS against limit 16000000 says its allowed 16Mb of address space.
Having tried to change it in /etc/security/limits.conf and with ulimit -v in a wrapper script, nothing will change the RLIMIT_AS - not even downwards.

Where is RLIMIT_AS set and how can i change it?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
boozo
Advocate
Advocate


Joined: 01 Jul 2004
Posts: 3193

PostPosted: Mon Apr 27, 2015 9:13 am    Post subject: Reply with quote

Sir Neddy,

just an idea according to this : it seem that you should search directly from the spamdyke source-code

nb. I precise that I've never had to do something with any "AS" setting (noob inside) but there are an example to define this $vars in the RSBAC handbook ( §Ressources restrinctions) too ...
_________________
" Un psychotique, c'est quelqu'un qui croit dur comme fer que 2 et 2 font 5, et qui en est pleinement satisfait.
Un névrosé, c'est quelqu'un qui sait pertinemment que 2 et 2 font 4, et ça le rend malade ! "
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42576
Location: 56N 3W

PostPosted: Mon Apr 27, 2015 4:53 pm    Post subject: Reply with quote

boozo,

Thank you for the pointer. I'll look later this evening if I don't run out of time.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42576
Location: 56N 3W

PostPosted: Tue Apr 28, 2015 10:34 pm    Post subject: Reply with quote

qmail runs under softlimit=16000000 and it seems as if its not enough.
That's not all of the issue. I havu to soften the hardening a little by turning off address space randomisation. under the PAX settings in the kernel too.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum