From owner-freebsd-security  Tue Dec  5  2:46:18 2000
From owner-freebsd-security@FreeBSD.ORG  Tue Dec  5 02:46:17 2000
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (pool25-tch-1.Sofia.0rbitel.net [212.95.170.25])
	by hub.freebsd.org (Postfix) with SMTP id 771F037B401
	for <freebsd-security@FreeBSD.org>; Tue,  5 Dec 2000 02:45:29 -0800 (PST)
Received: (qmail 2424 invoked by uid 1000); 5 Dec 2000 10:44:49 -0000
Date: Tue, 5 Dec 2000 12:44:48 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: freebsd-security@FreeBSD.org
Subject: Re: [spam score 10.00/10.0 -pobox] Re: Fw:      NAPTHA Advisory Updated - BindView RAZOR
Message-ID: <20001205124448.A2404@ringworld.oblivion.bg>
Mail-Followup-To: freebsd-security@FreeBSD.org
References: <200012050138.SAA03007@faith.cs.utah.edu> <Pine.BSF.4.21.0012042134110.69763-100000@epsilon.lucida.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.21.0012042134110.69763-100000@epsilon.lucida.ca>; from matt@ARPA.MAIL.NET on Mon, Dec 04, 2000 at 09:39:39PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Dec 04, 2000 at 09:39:39PM -0500, Matt Heckaman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Mon, 4 Dec 2000, David G. Andersen wrote:
> ...
> :   Nope.  It wasn't a kernel problem you were encountering - it was a
> : systemwide resource limit being reached.  It's not that there's a _bug_ in
> : the kernel, it's that the processes file table limits weren't isolated
> : from each other.  The right solution to this is more isolation of
> : different processes (e.g. resource control).
> 
> It would be nice if one could set login.conf(5) style resource limits per
> daemon instead of per login. Thus we could say, well "{q,send}mail can
> have 1024 fds" while apache can have 4096.. etc. Maybe there is a way to
> do this (djb's tcpserver? xinetd?) but I'm not currently aware of one.

Not tcpserver by itself, but tcpserver in conjunction with the daemontools
package can serve very well to place per-daemon limits.  The dnscache/tinydns
setup in the djbdns package is a nice example of how to use svscan and
the related daemontools programs for resource usage control.

G'luck,
Peter

-- 
If I had finished this sentence,


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message