# postfix and procmail resource overstepping

## eradicator

I'm having some odd messages appearing in the kernel log on startup of postfix:

grsec: denied resource overstep by requesting 92804516773888 for RLIMIT_STACK against limit 8388608 for /etc/postfix/postfix-script[postfix-script:7793] uid/euid:0/0 gid/egid:0/0, parent /sbin/runscript.sh[runscript.sh:7792] uid/euid:0/0 gid/egid:0/0

grsec: denied resource overstep by requesting 51200000 for RLIMIT_FSIZE against limit 51200000 for /usr/bin/procmail[procmail:10696] uid/euid:1000/1000 gid/egid:100/100, parent /usr/lib64/postfix/local[local:10694] uid/euid:0/207 gid/egid:0/207

grsec: denied resource overstep by requesting 51200000 for RLIMIT_FSIZE against limit 51200000 for /usr/bin/procmail[procmail:10696] uid/euid:1000/1000 gid/egid:100/100, parent /usr/lib64/postfix/local[local:10694] uid/euid:0/207 gid/egid:0/207

grsec: denied resource overstep by requesting 51200000 for RLIMIT_FSIZE against limit 51200000 for /usr/bin/procmail[procmail:10696] uid/euid:1000/1000 gid/egid:100/100, parent /usr/lib64/postfix/local[local:10694] uid/euid:0/207 gid/egid:0/207

grsec: denied resource overstep by requesting 51200000 for RLIMIT_FSIZE against limit 51200000 for /usr/bin/procmail[procmail:10696] uid/euid:1000/1000 gid/egid:100/100, parent /usr/lib64/postfix/local[local:10694] uid/euid:0/207 gid/egid:0/207

grsec: denied resource overstep by requesting 51200000 for RLIMIT_FSIZE against limit 51200000 for /usr/bin/procmail[procmail:10696] uid/euid:1000/1000 gid/egid:100/100, parent /usr/lib64/postfix/local[local:10694] uid/euid:0/207 gid/egid:0/207

Firstly, what's going on with the RLIMIT_STACK there.  Why could it possibly be requesting 92TB of stack space?  Is this a postfix bug?

Secondly, what is up with procmail?  I don't see the problem since the request equally matches the limit.  Am I missing something?  Additionally, I don't have any limits set in /etc/security/limits.conf (fsize defaults to unlimited), so this fsize limit is set within the application.  The only thing I can think of is someone sent a mail > 50 MB, but I doubt that's the case...

----------

## lavish

same problem here with postfix:

```
Jun 23 13:53:04 nebula grsec: denied resource overstep by requesting 150667264 for RLIMIT_STACK against limit 8388608 for /etc/postfix/postfix-script[postfix-script:4102] uid/euid:0/0 gid/egid:0/0, parent /sbin/runscript.sh[runscript.sh:4101] uid/euid:0/0 gid/egid:0/0
```

my emerge --info (nothing strange)

```
Portage 2.1.2.7 (hardened/x86/2.6, gcc-3.4.6, glibc-2.5-r3, 2.6.20-hardened-r5 i686)

=================================================================

System uname: 2.6.20-hardened-r5 i686 Pentium III (Coppermine)

Gentoo Base System release 1.12.9

Timestamp of tree: Wed, 20 Jun 2007 18:00:07 +0000

dev-lang/python:     2.4.4-r4

dev-python/pycrypto: 2.0.1-r5

sys-apps/sandbox:    1.2.17

sys-devel/autoconf:  2.60

sys-devel/automake:  1.9.6-r2, 1.10

sys-devel/binutils:  2.16.1-r3

sys-devel/gcc-config: 1.3.16

sys-devel/libtool:   1.5.22

virtual/os-headers:  2.6.17-r2

ACCEPT_KEYWORDS="x86"

AUTOCLEAN="yes"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-march=i686 -O2 -pipe -fforce-addr"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"

CXXFLAGS="-march=i686 -O2 -pipe -fforce-addr"

DISTDIR="/usr/portage/distfiles"

FEATURES="distlocks metadata-transfer sandbox sfperms strict"

GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"

LC_ALL="en_US.utf8"

PKGDIR="/usr/portage/packages"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="acl apache2 berkdb crypt hardened nls nptl pam pic readline ssl tcpd urandom x86 xorg zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU"

Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

```

//EDIT: I rebooted with a grsecurity-disable kernel (but PaX enabled) and postfix is working fine: here is a diff of the two kernel config files:

```
nebula lavish # diff /boot/config-2.6.20-grsec /boot/config-2.6.20-vanilla

4c4

< # Sat Jun 23 10:32:44 2007

---

> # Sat Jun 23 15:09:23 2007

52a53,55

> CONFIG_KALLSYMS=y

> # CONFIG_KALLSYMS_ALL is not set

> # CONFIG_KALLSYMS_EXTRA_PASS is not set

997a1001

> # CONFIG_PROC_KCORE is not set

1184,1268c1188

< CONFIG_GRKERNSEC=y

< # CONFIG_GRKERNSEC_LOW is not set

< # CONFIG_GRKERNSEC_MEDIUM is not set

< # CONFIG_GRKERNSEC_HIGH is not set

< CONFIG_GRKERNSEC_CUSTOM=y

< 

< #

< # Address Space Protection

< #

< CONFIG_GRKERNSEC_KMEM=y

< CONFIG_GRKERNSEC_IO=y

< CONFIG_GRKERNSEC_PROC_MEMMAP=y

< CONFIG_GRKERNSEC_BRUTE=y

< CONFIG_GRKERNSEC_HIDESYM=y

< 

< #

< # Role Based Access Control Options

< #

< CONFIG_GRKERNSEC_ACL_HIDEKERN=y

< CONFIG_GRKERNSEC_ACL_MAXTRIES=3

< CONFIG_GRKERNSEC_ACL_TIMEOUT=30

< 

< #

< # Filesystem Protections

< #

< CONFIG_GRKERNSEC_PROC=y

< CONFIG_GRKERNSEC_PROC_USER=y

< CONFIG_GRKERNSEC_PROC_ADD=y

< CONFIG_GRKERNSEC_LINK=y

< CONFIG_GRKERNSEC_FIFO=y

< CONFIG_GRKERNSEC_CHROOT=y

< CONFIG_GRKERNSEC_CHROOT_MOUNT=y

< CONFIG_GRKERNSEC_CHROOT_DOUBLE=y

< CONFIG_GRKERNSEC_CHROOT_PIVOT=y

< CONFIG_GRKERNSEC_CHROOT_CHDIR=y

< CONFIG_GRKERNSEC_CHROOT_CHMOD=y

< CONFIG_GRKERNSEC_CHROOT_FCHDIR=y

< CONFIG_GRKERNSEC_CHROOT_MKNOD=y

< CONFIG_GRKERNSEC_CHROOT_SHMAT=y

< CONFIG_GRKERNSEC_CHROOT_UNIX=y

< CONFIG_GRKERNSEC_CHROOT_FINDTASK=y

< CONFIG_GRKERNSEC_CHROOT_NICE=y

< CONFIG_GRKERNSEC_CHROOT_SYSCTL=y

< CONFIG_GRKERNSEC_CHROOT_CAPS=y

< 

< #

< # Kernel Auditing

< #

< # CONFIG_GRKERNSEC_AUDIT_GROUP is not set

< # CONFIG_GRKERNSEC_EXECLOG is not set

< CONFIG_GRKERNSEC_RESLOG=y

< # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set

< # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set

< # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set

< # CONFIG_GRKERNSEC_AUDIT_IPC is not set

< # CONFIG_GRKERNSEC_SIGNAL is not set

< # CONFIG_GRKERNSEC_FORKFAIL is not set

< # CONFIG_GRKERNSEC_TIME is not set

< # CONFIG_GRKERNSEC_PROC_IPADDR is not set

< # CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

< 

< #

< # Executable Protections

< #

< # CONFIG_GRKERNSEC_EXECVE is not set

< CONFIG_GRKERNSEC_SHM=y

< CONFIG_GRKERNSEC_DMESG=y

< # CONFIG_GRKERNSEC_TPE is not set

< 

< #

< # Network Protections

< #

< CONFIG_GRKERNSEC_RANDNET=y

< # CONFIG_GRKERNSEC_SOCKET is not set

< 

< #

< # Sysctl support

< #

< # CONFIG_GRKERNSEC_SYSCTL is not set

< 

< #

< # Logging Options

< #

< CONFIG_GRKERNSEC_FLOODTIME=10

< CONFIG_GRKERNSEC_FLOODBURST=4

---

> # CONFIG_GRKERNSEC is not set
```

----------

## eradicator

 *lavish wrote:*   

> I rebooted with a grsecurity-disable kernel (but PaX enabled) and postfix is working fine

 

Postfix appears to be working fine despite the messages appearing in my kernel log.  Your disabling grsec is disabling the logging feature, so you may still be experiencing the problem only it's not being logged.

----------

## X-Drum

 *eradicator wrote:*   

>  *lavish wrote:*   I rebooted with a grsecurity-disable kernel (but PaX enabled) and postfix is working fine 
> 
> Postfix appears to be working fine despite the messages appearing in my kernel log.  Your disabling grsec is disabling the logging feature, so you may still be experiencing the problem only it's not being logged.

 

Hi, 

i have the same "problem": the log is full of this kind of messages but postfix works fine:

```
grsec: From 88.XXX.XXX.XXX: denied resource overstep by requesting 10240000 for RLIMIT_FSIZE against limit 10240000 for /usr/lib/postfix/cleanup[cleanup:2073] uid/euid:207/207 gid/egid:207/207, parent /usr/lib/postfix/master[master:8956] uid/euid:0/0 gid/egid:0/0

grsec: From 88.XXX.XXX.XXX: denied resource overstep by requesting 10240000 for RLIMIT_FSIZE against limit 10240000 for /usr/lib/postfix/cleanup[cleanup:2962] uid/euid:207/207 gid/egid:207/207, parent /usr/lib/postfix/master[master:8956] uid/euid:0/0 gid/egid:0/0
```

----------

## eradicator

It turns out the procmail fsize error was because I had VERBOSE=on in my .procmailrc and the log file crossed that threshold.

As for the stack size, I'm still bewildered...

----------

## wschlich

I am pretty sure a glibc-upgrade from 2.3 to 2.5 on hardened caused this.

I had a hardened machine with glibc-2.5 experiencing this RLIMIT_STACK

error regarding postfix and one another with almost the same installation

and package versions, except it was running glibc-2.3.6. After having

upgraded that glibc-2.3.6 to 2.5, the errors also started occuring on

that machine where they previously weren't.

I guess we should try to get some hardened devs look into this...

----------

## eradicator

 *wschlich wrote:*   

> I am pretty sure a glibc-upgrade from 2.3 to 2.5 on hardened caused this.
> 
> 

 

You know what, I think you're right, but I don't think it's specific to hardened.  It's just grsec's logging detects the problem.  I use hardened sources on my normal boxes for extra auditing and security but not the hardened toolchain (ie, no pax, just basic grsec in the kernel), and I noticed this problem on both those boxes and my hardened boxes.  My normal boxes are now at glibc-2.6, and I just noticed this problem is gone.  My hardened-x86 box however is still at glibc-2.5 and throwing these stack limit errors.

----------

