Date: Thu, 20 Jan 2000 15:59:19 -0800 From: Matthew Reimer <mreimer@vpop.net> To: freebsd-hackers@freebsd.org Subject: RLIMIT_NPROC can be exceeded via setuid/exec Message-ID: <3887A157.E30E31AE@vpop.net>
next in thread | raw e-mail | index | archive | help
My question is, should setuid() fail if the target user's maximum number of processes (RLIMIT_NPROC) would be exceeded? Background: in an attempt to manage our webserver to keep too many CGIs from taking down the machine, I've been experimenting with RLIMIT_NPROC. This appears to work fine when forking new processes, causing the fork to fail with error EAGAIN. However, this didn't solve our problem. We're using Apache with suexec, and still CGIs would multiply far beyond the specified resource limit. Apache forks suexec, which is suid root; fork1() increments the number of processes for root, unless RLIMIT_NPROC has been exceeded, in which case the fork fails with EAGAIN. suexec calls then calls setuid() (before it calls execv), which decrements root's process count and increments the target user's process count, but RLIMIT_NPROC is not consulted, and voila, we've just exceeded the target user's maximum process count. So should the setuid() fail with EAGAIN (or some such) if the target user's maximum number of processes would be exceeded? Or would this break too many programs? Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3887A157.E30E31AE>