From owner-freebsd-jail@FreeBSD.ORG Tue Mar 17 19:55:11 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4049210656DA for ; Tue, 17 Mar 2009 19:55:11 +0000 (UTC) (envelope-from jille@quis.cx) Received: from istud.quis.cx (ip83-113-174-82.adsl2.static.versatel.nl [82.174.113.83]) by mx1.freebsd.org (Postfix) with ESMTP id ED6848FC1C for ; Tue, 17 Mar 2009 19:55:10 +0000 (UTC) (envelope-from jille@quis.cx) Received: from [192.168.1.4] (ille [192.168.1.4]) by istud.quis.cx (Postfix) with ESMTP id 2274B5C1E; Tue, 17 Mar 2009 20:55:10 +0100 (CET) Message-ID: <49C0001D.3090105@quis.cx> Date: Tue, 17 Mar 2009 20:55:09 +0100 From: Jille Timmermans User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Nicolas de Bari Embriz Garcia Rojas References: <49BFB7A5.2030505@quis.cx> <65CE8B12-4C88-47A3-85A0-915708881925@k9.cx> <49BFF9AB.7030406@quis.cx> <86EEC660-5154-42E2-BF93-9A7794E0CFB7@k9.cx> In-Reply-To: <86EEC660-5154-42E2-BF93-9A7794E0CFB7@k9.cx> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org Subject: Re: maxproc per jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2009 19:55:11 -0000 Nicolas de Bari Embriz Garcia Rojas schreef: > A friend suggested to schg the rc.conf and login.conf of the jail and > put the root user in a login class with some strict perms. maybe can be > a solution. login.conf sets rlimit; but root ignores them, so that isn't of much use. (I'm not 100% sure, you can give it a try) You can also try sysctl security.bsd.suser_enabled=0; but that will also disable root outside the jail. Patching the kernel to ignore root in jails is not very hard I think. Writing that, it might also be easy to patch the kernel so that root-in-jail doesn't override rlimits. -- Jille > > regards. > -- >> nbari > > On Mar 17, 2009, at 1:27 PM, Jille Timmermans wrote: > >> Nicolas de Bari Embriz Garcia Rojas schreef: >>> Hi, thanks for the answer just on question how to setup rlimit for jails >>> ? any ideas >> I'm sorry for leaving that unclear; there is no rlimit for jails atm. >> But if someone wants to create a root-proof protection, I think that is >> the way to go. (being able to limit everything that rlimit can limit for >> single processes now) >> >> I unfortunately can't find the patch I mentioned, must have lost that >> during some disk-crash. >> >> So, I am afraid there is nothing I can do to help you. >> >> -- Jille >>> >>> regards. >>> -- >>>> nbari >>> >>> On Mar 17, 2009, at 8:45 AM, Jille Timmermans wrote: >>> >>>> Nicolas de Bari Embriz Garcia Rojas schreef: >>>>> Hi all, it is posible to limite the maxproc per jail ? >>>> No, I wrote a patch once; I will take a look whether I still have it >>>> somewhere. >>>> But the patch only limits the number of processes, not memory nor open >>>> files. >>>> The best thing to do (I think) is create some rlimit for jails. >>>> >>>> -- Jille >>>>> or how to put a protection to the main host in case the root user of >>>>> a jail try to make a fork bom. >>>>> regards. >>>>> -- >>>>>> nbari >>> >