Date: Mon, 13 Nov 2023 12:43:01 +0100 From: Alexander Leidinger <Alexander@Leidinger.net> To: Christian Weisgerber <naddy@mips.inka.de> Cc: freebsd-arch@freebsd.org Subject: Re: Any particular reason we don't have sshd oomprotected by default? Message-ID: <3c3b4929125d113b230f8bbba33048ff@Leidinger.net> In-Reply-To: <ZVH2CW3Ua6PQkDti@lorvorc.mips.inka.de> References: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> <ZVH2CW3Ua6PQkDti@lorvorc.mips.inka.de>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Am 2023-11-13 11:10, schrieb Christian Weisgerber: > Alexander Leidinger: > >> We have syslogd oomprotected by default (/etc/defaults/rc.conf). Is >> there a >> particular reason we don't have sshd protected the same way? > > syslogd(8) can perform its function without forking, I think. > > sshd(8) needs to fork and spawn new processes to be useful. So I > don't know how useful that is in an OOM context. Conversely, your > existing sessions aren't affected when the sshd listening on port 22 > goes away. oomprotect can be set to inherit when forked. I have not done that in this patch. So the main listener on the socket is protected from oom situations, but not individual login sessions. Before proposing the patch in the review, I thought what may be a sensible solution, inherit or not inherit, and I settled on not inherit, as this still allows to login, but would be able to kill long running sessions which may (or may not) contribute to the oom situation. If someone has some strong arguments to change this to set oomprotect to inherit when forked for sshd, feel free to discuss them. Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmVSC9MACgkQEg2wmwP4 2IZOPw/8DH7GA2fWH9PphQAnI49UjANVOx7T8lJI4b7A0/RCeRgK9iBzJRMqm36Y 9G+Q37gc/PyFbSUmRry2ROONVqFnOUJ3eYtJcfegSdIo3SJH2JZcfFA+yE5yXc96 4wo4o87Ptz0MTQ9jyHjziB1TTZKS2exVL2lG6Htr1Xw9JuXzrtZbywhSplWsZve7 8gMfko3aa8iORmaEcYO8diTt9eGyyue322iOlp7SHB/F1UAEUjZ7SBarbng8wHKs J9PVR6Hyu1+BFBMovhtVQ01B6I5cDCOc183T4ASTTsp4qBr9IXdQBszIDyRU/j0L bktcdLCkJi2eLTB+PpjpHgx4r8A5ar7+PpFfbZMRkY6pW8kTUJxYCb+f9NbzGzfu w3VlHFVL0KMUrB57qFgNsePo5CVUpTJxWC7c6M6+REApYVUzs6q3T9XiPlsizS52 +uaxzhQdYCAwJ9oAiZwYZx7RWtkPvgugIChpvv6arHpjXw6yIiWNboggjVr7rac+ p6SOriDuXsOx7ms4Pg/rYDJxu1YaDIKYdfbB6Atem6894HGbXIKxgZaRiSIia8qU 6KDanGwpGvdaS1Pha+fRfvJgxX0nbg9IyP8GlG5jzGngPvjwOUZPbVyPMmBI/Mej W0SwnlIDooei9bqMdnqgtc40kJPZiJWzqPBLNCvcC7wdWsk1BGI= =utmW -----END PGP SIGNATURE-----help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3c3b4929125d113b230f8bbba33048ff>