[exim] exim4 needs CAP_SYS_RESOURCE?

Góra strony
Delete this message
Reply to this message
Autor: Marc Schiffbauer
Data:  
Dla: exim-users
Temat: [exim] exim4 needs CAP_SYS_RESOURCE?
Hi all,

I am a bit confused because my exim 4.34 wants to make use of the
Linux SYS_RESOURCE Capability.

My Question is: Does anybody know if it really needs it? And if yes,
why?

I have a Debian woody box with exim4 backport and grsecurity acl
system running and it was complaining about that issue.

Seems that apache generating an email is causing this.

I had these messages in syslog at exactly the same time.
(Sorry for long lines)

grsec: (www-data:U:/usr/sbin/exim4) use of CAP_SYS_RESOURCE denied for /usr/sbin/exim4[sendmail:4320] uid/euid:33/0 gid/egid:33/33, parent /usr/sbin/apache uid/euid:33/33 gid/egid:33/33
grsec: (mail:U:/usr/sbin/exim4) use of CAP_SYS_RESOURCE denied for /usr/sbin/exim4[exim4:31806] uid/euid:8/0 gid/egid:8/8, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
grsec: (www-data:U:/usr/sbin/exim4) use of CAP_SYS_RESOURCE denied for /usr/sbin/exim4[sendmail:4320] uid/euid:33/0 gid/egid:33/33, parent /usr/sbin/apache[apache:29106] uid/euid:33/33 gid/egid:33/33
grsec: (mail:U:/usr/sbin/exim4) use of CAP_SYS_RESOURCE denied for /usr/sbin/exim4[exim4:31806] uid/euid:8/0 gid/egid:8/8, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

>From the grsec documentation:


CAP_SYS_RESOURCE:
· Override resource limits. Set resource limits;
· Override quota limits;
· Override reserved space on ext2 filesystem;
· Modify data journaling mode on ext3 filesystem (uses journaling resources);
NOTE: ext2 honors fsuid when checking for resource overrides,
so you can override using fsuid too;
· Override size restrictions on IPC message queues;
· Allow more than 64hz interrupts from the real?time clock;
· Override max number of consoles on console allocation;
· Override max number of keymaps.


Thanks for any hints
-Marc


-- 
°    <M3rlin-> what is the legal age to buy alcoholic in england ? °
°  <p5Ds13a06> you cant buy alcoholics                             °
°  <p5Ds13a06> but if you wink the right way,                      °
°              some of them will follow you home for free          °