Date: Tue, 17 Aug 1999 10:36:16 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Mike Tancsa <mike@sentex.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Any work around for this FreeBSD bug/DoS ? Message-ID: <199908171736.KAA18291@apollo.backplane.com> References: <4.1.19990816203409.05989960@granite.sentex.ca> <4.1.19990816213403.05a3b540@granite.sentex.ca> <3.0.5.32.19990817131742.02a5f6c0@staff.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
:
:Thanks for the extended info. What I am suprised at is that even with
:MAXUSERS set to 128, I have to use something as restrictive as
:
:dialu:\
: :copyright=/etc/COPYRIGHT:\
: :welcome=/etc/motd:\
: :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
: :path=~/bin /bin /usr/bin /usr/local/bin /usr/X11R6/bin:\
: :nologin=/var/run/nologin:\
: :cputime=unlimited:\
: :datasize=unlimited:\
: :stacksize=unlimited:\
: :memorylocked-cur=10M:\
: :memoryuse-max=30M:\
: :maxproc-cur=9:\
: :maxproc-max=15:\
: :openfiles-max=16:\
: :filesize=unlimited:\
: :coredumpsize=unlimited:\
: :priority=0:\
: :ignoretime@:\
: :umask=022:
:
:
:It seems anything above 16 files open (e.g. 32), and they are able to panic
:the system.
There have been proposals to extend the concept of per-user resources
(for example, maxproc is a per-user resource). This way you would be
able to set reasonable overall limits for the user that do not overly
restrict the per-process limits. However, nobody has attempted to
actually code the idea. It seems to me a fairly easy thing to do through
the use of the credential's cache (but I'm not volunteering).
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908171736.KAA18291>