From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-2254-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1L039n-0005gm-AV
	for garchives@archives.gentoo.org; Wed, 12 Nov 2008 00:00:27 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5D6ABE0370;
	Wed, 12 Nov 2008 00:00:07 +0000 (UTC)
Received: from rv-out-0708.google.com (rv-out-0708.google.com [209.85.198.249])
	by pigeon.gentoo.org (Postfix) with ESMTP id 17720E0361
	for <gentoo-hardened@lists.gentoo.org>; Wed, 12 Nov 2008 00:00:07 +0000 (UTC)
Received: by rv-out-0708.google.com with SMTP id b17so128997rvf.46
        for <gentoo-hardened@lists.gentoo.org>; Tue, 11 Nov 2008 16:00:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to
         :subject:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references;
        bh=C1nu6miZHgnKlhQZ5VlofanB6ZtFRhMr9mFhJdESvt4=;
        b=mpjiJTKCpO0ZHEaNLqbJhxIC1tj2hD0GV/afh8GnjBFprX2rY7+V1/u9fVJSlQulTU
         VFqzzkICB+j06PPa2FSYnoByEIyzMWjkEuHX7iTjBIpb9ue9zCVBxWUpVCoIBBkE13nZ
         sUB63s4uYhULMc5nCMZ5KOYRHZM7PDWJ5yYJg=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version
         :content-type:content-transfer-encoding:content-disposition
         :references;
        b=gLsxFrVhAoJXaXToaQQdOpMzNU+vr+QuU/gNZHxgClbKAcj7cdI3R9OJMBz0R0Cksh
         pOuGAvHDvoHgPG26XAeaj7hDI967HbuvkXkdFzYEKWdIUBDfB2m39qfnvRGWva01nHSl
         FvloUR/tM50PVBTTWNe74msD93nAeZ5kdVX5Q=
Received: by 10.140.226.14 with SMTP id y14mr4554277rvg.237.1226448005161;
        Tue, 11 Nov 2008 16:00:05 -0800 (PST)
Received: by 10.141.82.16 with HTTP; Tue, 11 Nov 2008 16:00:05 -0800 (PST)
Message-ID: <279fbba40811111600q1ae72296i2320b34839581260@mail.gmail.com>
Date: Wed, 12 Nov 2008 00:00:05 +0000
From: "Kerin Millar" <kerframil@gmail.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] what RLIMIT_STACK mean?
In-Reply-To: <49183A77.9865.1577A2D@pageexec.freemail.hu>
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <c2125bcb7fde59cdb77b1b8de3cef95a.squirrel@atoth.sote.hu>
	 <a1721b25d260be1dadffa6421edcbe20.squirrel@atoth.sote.hu>
	 <20081110132427.GB19578@gmail.com>
	 <49183A77.9865.1577A2D@pageexec.freemail.hu>
X-Archives-Salt: e4ae99c1-5036-4ab2-aee9-533d04bea0a1
X-Archives-Hash: 7a1ac96b87ab920d1dc45abb39bd64d4

2008/11/10  <pageexec@freemail.hu>:
> On 10 Nov 2008 at 7:24, Brian Kroth wrote:
>
>> atoth@atoth.sote.hu <atoth@atoth.sote.hu> 2008-11-10 12:31:

[snip]

>> grsec: denied resource overstep by requesting 4511036391424 for
>> RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18765]
>> uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:18636]
>> uid/euid:1000/1000 gid/egid:1000/1000
>
> now this one definitely looks fishy and spender's looking into it already.

I experience a similar pattern with postfix. Here's a recent excerpt
from my kernel buffer:

[   59.748463] grsec: denied resource overstep by requesting
6014915829760 for RLIMIT_STACK against limit 8388608 for
/etc/postfix/postfix-script[postfix-script:2981] uid/euid:0/0
gid/egid:0/0, parent /lib64/rc/sh/runscript.sh[runscript.sh:2962]
uid/euid:0/0 gid/egid:0/0
[91229.698383] grsec: From 212.183.136.195: denied resource overstep
by requesting 2982265733120 for RLIMIT_STACK against limit 8388608 for
/etc/postfix/postfix-script[postfix-script:15670] uid/euid:0/0
gid/egid:0/0, parent /lib64/rc/sh/runscript.sh[runscript.sh:15663]
uid/euid:0/0 gid/egid:0/0
[91466.615149] grsec: From 212.183.136.195: denied resource overstep
by requesting 7585593999360 for RLIMIT_STACK against limit 8388608 for
/etc/postfix/postfix-script[postfix-script:15876] uid/euid:0/0
gid/egid:0/0, parent /lib64/rc/sh/runscript.sh[runscript.sh:15869]
uid/euid:0/0 gid/egid:0/0
[91852.302529] grsec: From 212.183.136.195: denied resource overstep
by requesting 4286678908928 for RLIMIT_STACK against limit 8388608 for
/etc/postfix/postfix-script[postfix-script:16148] uid/euid:0/0
gid/egid:0/0, parent /lib64/rc/sh/runscript.sh[runscript.sh:16141]
uid/euid:0/0 gid/egid:0/0
[97084.194476] grsec: From 192.168.254.88: denied resource overstep by
requesting 12760106696704 for RLIMIT_STACK against limit 8388608 for
/etc/postfix/postfix-script[postfix-script:18069] uid/euid:0/0
gid/egid:0/0, parent /lib64/rc/sh/runscript.sh[runscript.sh:18062]
uid/euid:0/0 gid/egid:0/0
[97084.591375] grsec: From 192.168.254.88: denied resource overstep by
requesting 6147866898432 for RLIMIT_STACK against limit 8388608 for
/etc/postfix/postfix-script[postfix-script:18084] uid/euid:0/0
gid/egid:0/0, parent /lib64/rc/sh/runscript.sh[runscript.sh:18076]
uid/euid:0/0 gid/egid:0/0
[97104.279223] grsec: From 192.168.254.88: denied resource overstep by
requesting 3078062882816 for RLIMIT_STACK against limit 8388608 for
/etc/postfix/postfix-script[postfix-script:18183] uid/euid:0/0
gid/egid:0/0, parent /lib64/rc/sh/runscript.sh[runscript.sh:18175]
uid/euid:0/0 gid/egid:0/0
[98499.165117] grsec: From 192.168.254.88: denied resource overstep by
requesting 973333118976 for RLIMIT_STACK against limit 8388608 for
/etc/postfix/postfix-script[postfix-script:18685] uid/euid:0/0
gid/egid:0/0, parent /lib64/rc/sh/runscript.sh[runscript.sh:18677]
uid/euid:0/0 gid/egid:0/0
[335157.025790] grsec: From 212.183.134.66: denied resource overstep
by requesting 10497186820096 for RLIMIT_STACK against limit 8388608
for /etc/postfix/postfix-script[postfix-script:1557] uid/euid:0/0
gid/egid:0/0, parent /lib64/rc/sh/runscript.sh[runscript.sh:1550]
uid/euid:0/0 gid/egid:0/0
[431086.838131] grsec: From 192.168.254.88: denied resource overstep
by requesting 3096323715072 for RLIMIT_STACK against limit 8388608 for
/etc/postfix/postfix-script[postfix-script:23575] uid/euid:0/0
gid/egid:0/0, parent /lib64/rc/sh/runscript.sh[runscript.sh:23568]
uid/euid:0/0 gid/egid:0/0

This has been going on for a long time now. I had assumed that postfix
was to blame and was intending to investigate further at some point
(but, of course, I never did). If there is anything that I can do that
may help to shed light on the matter then please do let me know.

Cheers,

--Kerin