From owner-freebsd-security  Thu Sep  6 17:30:34 2001
Delivered-To: freebsd-security@freebsd.org
Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227])
	by hub.freebsd.org (Postfix) with ESMTP id 532A837B403
	for <freebsd-security@freebsd.org>; Thu,  6 Sep 2001 17:30:32 -0700 (PDT)
Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74])
	by spitfire.velocet.net (Postfix) with SMTP id 210B244A9F6
	for <freebsd-security@freebsd.org>; Thu,  6 Sep 2001 20:30:31 -0400 (EDT)
Received: (qmail 44428 invoked by uid 1001); 7 Sep 2001 00:25:20 -0000
Date: Thu, 6 Sep 2001 20:25:20 -0400
From: Steve Shorter <steve@nomad.lets.net>
To: D J Hawkey Jr <hawkeyd@visi.com>
Cc: steve@nomad.tor.lets.net, freebsd-security@freebsd.org
Subject: Re: when mail full  /tmp partition, system cracked
Message-ID: <20010906202520.B44397@nomad.lets.net>
References: <20010906170731.A18984@sheol.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010906170731.A18984@sheol.localdomain>; from hawkeyd@visi.com on Thu, Sep 06, 2001 at 05:07:31PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, Sep 06, 2001 at 05:07:31PM -0500, D J Hawkey Jr wrote:

> Is "the largest process" selective, to some degree or another? That is,
> will it (can it?) discern a "more valuable" process from a "lesser one"?
> 
> Can it be told to kill off the last process started, as opposed to the
> largest? I myself would find this preferable in many cases.

	Actually, I was running a process that was killed because
it was largest, but this process happened to be essential to the
system function. It is easy to modify the kernel source to be more
selective. I choose to kill only processes with uid > somenumber,
since in the context of my particular system, I trust those processes
not to hose it and/or have set appropriate resource limits.

Check out the source in sys/vm/vm_pageout.c around

			if ((p->p_flag & P_SYSTEM) || (p->p_lock > 0) ||
			    (p->p_pid == 1) ||
			    ((p->p_pid < 48) && (vm_swap_size != 0))) {
				continue;
			}

	You need to search for the definitions of struct proc (which p points
to) in /usr/include/sys/proc.h.

	Enjoy your kernel hacking!

	-steve


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message