Date: Thu, 24 Apr 2003 11:36:31 +0000 From: Philip Reynolds <philip.reynolds@rfc-networks.ie> To: hackers@freebsd.org Subject: Re: Keeping a large shellbox stable and secure Message-ID: <20030424113630.GA21831@rfc-networks.ie> In-Reply-To: <001901c309ee$36029070$c601a8c0@oxygen> References: <001901c309ee$36029070$c601a8c0@oxygen>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter <pfak@telus.net> 43 lines of wisdom included:
> Are there any proven methods that you have used? System tweaks, etc. That
> seem to work under high system loads? Such as sysctl.conf, rc.conf, etc.
login.conf should be all you need to keep the ulimits of users down.
Give users finite CPU time, VM size (and whatever other options you
can) etc.
Play around with it before you let users on the box. Try a few
sample C programs to see if you can crash the box
--------------------8<---------------------
/* The timeless while(1) fork(); program */
#include <sys/types.h>
#include <unistd.h>
int
main(int argc, char **argv)
{
while(1)
fork();
}
-------------------->8---------------------
The above program, for instance, should stop after a few seconds
with an error (something equivalent to resources unavailable)
Some sample settings would be:
default:\
## ...
:cputime=500:\
:datasize=50M:\
:stacksize:40M:\
:memorylocked=30M:\
:memoryuse=30M:\
:filesize=50M:\
:openfiles=300:\
:maxproc=50:\
:sbsize=50M:\
:vmemoryuse=75M:\
:priority=0:
There might be some things I left out there (core file size etc.)
and some other settings. You're going to need to tweak these
settings according to your machine specifications and how high a
load your system is under.
Remember to run ``cap_mkdb /etc/login.conf'' after changes to the file.
--
Philip Reynolds | RFC Networks Ltd.
philip.reynolds@rfc-networks.ie | +353 (0)1 8832063
http://people.rfc-networks.ie/~phil | www.rfc-networks.ie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030424113630.GA21831>