Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 5 Aug 1999 12:29:07 -0700 (PDT)
From:      Doug <Doug@gorean.org>
To:        John Polstra <jdp@polstra.com>
Cc:        mike@smith.net.au, hackers@freebsd.org
Subject:   Re: login.conf restrictions for suid processes possible? (fwd) 
Message-ID:  <Pine.BSF.4.05.9908051225510.1799-100000@dt011n65.san.rr.com>
In-Reply-To: <199908051813.LAA04237@vashon.polstra.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, 5 Aug 1999, John Polstra wrote:

> In article <199908051755.KAA13017@dingo.cdrom.com>,
> Mike Smith  <mike@smith.net.au> wrote:
> > > 	I am working on some resource limit stuff and would like to be
> > > able to use login.conf to restrict the number of cgi processes that
> > > certain users can run. Unfortunately, the proprietary cgi product we use
> > > is owned by root and suid's to the user who owns the script that it is
> > > called to run. (This is not what I would call a "good idea," but it's what
> > > I have to work with.)
> [...]
> > You need to pester the vendor to correctly switch limits when they 
> > switch UIDs.
> > 
> > Alternatively, if this is unlikely _and_ the application is dynamically 
> > linked, you could produce a library containing patched set*id functions 
> > and force it into the app using LD_PRELOAD. 
> 
> N.B., LD_PRELOAD won't work if the program is setuid or setgid.  I'm
> not 100% sure from the original post whether that's the case or not.

	Yes, the program is owned by root, has permissions -rwsr-xr-t and
suid's to the user who owns the script it's called to run. I'm aware that
the sticky bit is ignored on BSD for executables, but that's how it comes
from the vendor so my boss doesn't want to mess with it.

Thanks,

Doug
-- 
On account of being a democracy and run by the people, we are the only
nation in the world that has to keep a government four years, no matter
what it does.
                -- Will Rogers



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9908051225510.1799-100000>