Date: Tue, 5 Dec 2000 12:44:48 +0200 From: Peter Pentchev <roam@orbitel.bg> To: freebsd-security@FreeBSD.org Subject: Re: [spam score 10.00/10.0 -pobox] Re: Fw: NAPTHA Advisory Updated - BindView RAZOR Message-ID: <20001205124448.A2404@ringworld.oblivion.bg> In-Reply-To: <Pine.BSF.4.21.0012042134110.69763-100000@epsilon.lucida.ca>; from matt@ARPA.MAIL.NET on Mon, Dec 04, 2000 at 09:39:39PM -0500 References: <200012050138.SAA03007@faith.cs.utah.edu> <Pine.BSF.4.21.0012042134110.69763-100000@epsilon.lucida.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 04, 2000 at 09:39:39PM -0500, Matt Heckaman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 4 Dec 2000, David G. Andersen wrote:
> ...
> : Nope. It wasn't a kernel problem you were encountering - it was a
> : systemwide resource limit being reached. It's not that there's a _bug_ in
> : the kernel, it's that the processes file table limits weren't isolated
> : from each other. The right solution to this is more isolation of
> : different processes (e.g. resource control).
>
> It would be nice if one could set login.conf(5) style resource limits per
> daemon instead of per login. Thus we could say, well "{q,send}mail can
> have 1024 fds" while apache can have 4096.. etc. Maybe there is a way to
> do this (djb's tcpserver? xinetd?) but I'm not currently aware of one.
Not tcpserver by itself, but tcpserver in conjunction with the daemontools
package can serve very well to place per-daemon limits. The dnscache/tinydns
setup in the djbdns package is a nice example of how to use svscan and
the related daemontools programs for resource usage control.
G'luck,
Peter
--
If I had finished this sentence,
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001205124448.A2404>