Date: Tue, 17 Mar 2009 20:55:09 +0100 From: Jille Timmermans <jille@quis.cx> To: Nicolas de Bari Embriz Garcia Rojas <nbari@k9.cx> Cc: freebsd-jail@FreeBSD.org Subject: Re: maxproc per jail Message-ID: <49C0001D.3090105@quis.cx> In-Reply-To: <86EEC660-5154-42E2-BF93-9A7794E0CFB7@k9.cx> References: <AFF1A183-8257-451D-B308-722DE62899DA@k9.cx> <49BFB7A5.2030505@quis.cx> <65CE8B12-4C88-47A3-85A0-915708881925@k9.cx> <49BFF9AB.7030406@quis.cx> <86EEC660-5154-42E2-BF93-9A7794E0CFB7@k9.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
Nicolas de Bari Embriz Garcia Rojas schreef: > A friend suggested to schg the rc.conf and login.conf of the jail and > put the root user in a login class with some strict perms. maybe can be > a solution. login.conf sets rlimit; but root ignores them, so that isn't of much use. (I'm not 100% sure, you can give it a try) You can also try sysctl security.bsd.suser_enabled=0; but that will also disable root outside the jail. Patching the kernel to ignore root in jails is not very hard I think. Writing that, it might also be easy to patch the kernel so that root-in-jail doesn't override rlimits. -- Jille > > regards. > -- >> nbari > > On Mar 17, 2009, at 1:27 PM, Jille Timmermans wrote: > >> Nicolas de Bari Embriz Garcia Rojas schreef: >>> Hi, thanks for the answer just on question how to setup rlimit for jails >>> ? any ideas >> I'm sorry for leaving that unclear; there is no rlimit for jails atm. >> But if someone wants to create a root-proof protection, I think that is >> the way to go. (being able to limit everything that rlimit can limit for >> single processes now) >> >> I unfortunately can't find the patch I mentioned, must have lost that >> during some disk-crash. >> >> So, I am afraid there is nothing I can do to help you. >> >> -- Jille >>> >>> regards. >>> -- >>>> nbari >>> >>> On Mar 17, 2009, at 8:45 AM, Jille Timmermans wrote: >>> >>>> Nicolas de Bari Embriz Garcia Rojas schreef: >>>>> Hi all, it is posible to limite the maxproc per jail ? >>>> No, I wrote a patch once; I will take a look whether I still have it >>>> somewhere. >>>> But the patch only limits the number of processes, not memory nor open >>>> files. >>>> The best thing to do (I think) is create some rlimit for jails. >>>> >>>> -- Jille >>>>> or how to put a protection to the main host in case the root user of >>>>> a jail try to make a fork bom. >>>>> regards. >>>>> -- >>>>>> nbari >>> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49C0001D.3090105>