From owner-freebsd-hackers@FreeBSD.ORG Mon Nov 7 04:52:45 2011 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE6CF106566C for ; Mon, 7 Nov 2011 04:52:45 +0000 (UTC) (envelope-from rozhuk.im@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 4E84D8FC0C for ; Mon, 7 Nov 2011 04:52:45 +0000 (UTC) Received: by bkbzs8 with SMTP id zs8so942305bkb.13 for ; Sun, 06 Nov 2011 20:52:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=reply-to:from:to:subject:date:message-id:mime-version:content-type :content-transfer-encoding:x-mailer:thread-index:content-language; bh=k1e5Jrr9pCRHUXtqUmjsnRikZq9oeUQDfjb1VRzJnX0=; b=JZD/56ih6AQTHfnE1fHPsZUI0PtFB85bwEYx2EbxNKkwMLMpI6/Y5mASz+JXzKN2F7 80057SdV9fxUfjQNKl0LYpXITlsaas9Ams5u60vU2s/Hmu9rsgpzpektPOgIclrD3MvO taV+yLOqHaS28ObpeojjLC3Luwah2VoULxBHE= Received: by 10.204.142.28 with SMTP id o28mr4350594bku.21.1320639850268; Sun, 06 Nov 2011 20:24:10 -0800 (PST) Received: from rimwks1x64 ([92.124.24.86]) by mx.google.com with ESMTPS id e14sm16231995bka.0.2011.11.06.20.24.07 (version=SSLv3 cipher=OTHER); Sun, 06 Nov 2011 20:24:09 -0800 (PST) From: rozhuk.im@gmail.com To: Date: Mon, 7 Nov 2011 13:24:05 +0900 Message-ID: <4eb75d69.0e0ecc0a.29ec.3380@mx.google.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcydBRYEIGE765jkSU6Jou04mHgiPQ== Content-Language: ru Cc: Subject: limits do not apply X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Rozhuk.IM@gmail.com List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2011 04:52:45 -0000 At system startup, the init script is run with limits calculated on the basis of the core MAXFILES. After you run sysctl limits of the system may be altered, for example "kern.maxfilesperproc", but the script will continue to work with the old values. This is bad in two ways: 1. When using the "chroot", so that the command does not execute logon for the user: limits and environmental variables remain the same, just replaced the uid and gid of the running process. 2. When not specified "user" - the process starts with the limits of the environment and startup script. # limits Resource limits (current): ... openfiles 200000 ... # sysctl kern.maxfilesperproc=200001 kern.maxfilesperproc: 200000 -> 200001 # limits Resource limits (current): ... openfiles 200000 ... # su -m root -c 'limits' Resource limits (current): ... openfiles 200001 # chroot -u root / /usr/bin/limits Resource limits (current): ... openfiles 200000 ... Scripts for which the specified user inherit it from the startup script, rather than generate it based on the settings for the user. #su -m mysql -c '/bin/sh -c "/usr/bin/env"' ... USER=root MAIL=/var/mail/root HOME=/root LOGNAME=root PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin :/root/bin ... To run the scripts with the correct limits, the environment, the priority and chroot - need a tool combines the chroot, su, nice, chdir but deprived of their shortcomings. su - is focused on a shell chroot - does not make the logon nice - there is no overlap in the chroot or su "SHELL" should be inherited from a parent script, because many accounts is established: SHELL="/usr/sbin/nologin" -- Rozhuk Ivan