grsecurity forums

by **666** » Fri Feb 07, 2003 9:39 am

Hello,

I am getting the following on syslog:

Feb 7 06:31:28 localhost kernel: grsec: attempted resource overstep by requesting 1024 for RLIMIT_NOFILE against limit 1024 by (squid:1920) UID(99) EUID(99), parent (squid:1916) UID(0) EUID(0)
Feb 7 06:31:28 localhost kernel: grsec: attempted resource overstep by requesting 1024 for RLIMIT_NOFILE against limit 1024 by (squid:1920) UID(99) EUID(99), parent (squid:1916) UID(0) EUID(0)
Feb 7 06:31:29 localhost kernel: grsec: more attempted resource overstepping, logging disabled for 5 seconds
Feb 7 06:31:35 localhost kernel: grsec: From 90.0.0.6: attempted resource overstep by requesting 1024 for RLIMIT_NOFILE against limit 1024 by (squid:1920) UID(99) EUID(99), parent (squid:1916) UID(0) EUID(0)
Feb 7 06:31:49 localhost kernel: grsec: From 90.0.0.6: attempted resource overstep by requesting 1024 for RLIMIT_NOFILE against limit 1024 by (squid:1920) UID(99) EUID(99), parent (squid:1916) UID(0) EUID(0)

Obviously, squid is bailing out with 'Too Many Open Files'. Now, max open files is set 32768 (both hard and soft limits) everywhere. But I have 'NR_OPEN 1024' in /usr/include/linux/limits.h.

Is this where RLIMIT_NOFILE coming from?

How do I set RLIMIT_NOFILE, RLIMIT_STACK?

Thanks in advance!

Tesla

by **Debiant** » Fri Feb 07, 2003 11:48 am

Hi,
I'm fairly new to this myself, but you can set resource limits in your ACL for the squid binary

/path/to/squid {
/h
..
RES_NOFILE 1024 2048
RES_STACK 32000 128000
..
-CAP_ALL
..
}

The format is RES_* <soft limit> <hard limit>

Hope that helps.

by **spender** » Fri Feb 07, 2003 4:13 pm

I sent a reply to this on the message board, but for everyone here, my general answer was that RLIMIT_NOFILE can't be raised above NR_OPEN (1024). It's unlikely that squid needs more than that many open files, so this may suggest there's a bug in squid. If squid legitimately needs to open more than 1024 files per process, NR_OPEN needs to be changed in the kernel, and userspace apps need to be recompiled.

-Brad

by **666** » Fri Feb 07, 2003 6:34 pm

-Debiant
Thanks! I am not using the ACL system when I am getting those.

-Brad
lsof shows about 300 files open on the system now.

I am the only person using squid and it is very unlikely it will need that many file descriptors. I don't mind recompiling with NR_OPEN set to something higher than that but there seems to be something wrong.

Is there a way to debug this and find out what those files are?

Also, I have been getting:

grsec: attempted resource overstep by requesting 13516800 for RLIMIT_STACK against limit 8388608 by (ps:2668) UID(0) EUID(0), parent (watch:2665) UID(0) EUID(0)
grsec: attempted resource overstep by requesting 13516800 for RLIMIT_STACK against limit 8388608 by (ps:2668) UID(0) EUID(0), parent (watch:2665) UID(0) EUID(0)

All ps does is `ps -ax` and there are about 30-40 processes on the system.

by **666** » Fri Feb 07, 2003 10:48 pm

Alright, this was a bug in squid-2.5-STABLE1. /etc/hosts were being opened once more on SIGHUP or squid -k reconfigure. They fixed it. It still would be good if someone can answer my questions.

by **spender** » Fri Feb 07, 2003 10:55 pm

all of the stuff you're reporting is userspace bugs, not stuff related to grsecurity. Like I said on the mailing list, grsecurity is only reporting these things, so even if you weren't using grsecurity, they would still be happening, but you just wouldn't know it. The RLIMIT_STACK stuff is also some bug in ps.

-Brad