From owner-freebsd-hackers  Fri Jan 21  0:37:20 2000
Delivered-To: freebsd-hackers@freebsd.org
Received: from resnet.uoregon.edu (resnet.uoregon.edu [128.223.144.32])
	by hub.freebsd.org (Postfix) with ESMTP id A983D153EF
	for <freebsd-hackers@FreeBSD.ORG>; Fri, 21 Jan 2000 00:37:18 -0800 (PST)
	(envelope-from dwhite@resnet.uoregon.edu)
Received: from localhost (dwhite@localhost)
	by resnet.uoregon.edu (8.9.3/8.9.3) with ESMTP id AAA54811;
	Fri, 21 Jan 2000 00:37:17 -0800 (PST)
	(envelope-from dwhite@resnet.uoregon.edu)
Date: Fri, 21 Jan 2000 00:37:16 -0800 (PST)
From: Doug White <dwhite@resnet.uoregon.edu>
To: Matthew Reimer <mreimer@vpop.net>
Cc: freebsd-hackers@FreeBSD.ORG
Subject: Re: RLIMIT_NPROC can be exceeded via setuid/exec
In-Reply-To: <3887A157.E30E31AE@vpop.net>
Message-ID: <Pine.BSF.4.21.0001210031570.51684-100000@resnet.uoregon.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, 20 Jan 2000, Matthew Reimer wrote:

> My question is, should setuid() fail if the target user's maximum number
> of processes (RLIMIT_NPROC) would be exceeded?
> 
> Background: in an attempt to manage our webserver to keep too many CGIs
> from taking down the machine, I've been experimenting with RLIMIT_NPROC.
> This appears to work fine when forking new processes, causing the fork
> to fail with error EAGAIN.
> 
> However, this didn't solve our problem. We're using Apache with suexec,
> and still CGIs would multiply far beyond the specified resource limit. 
> 
> Apache forks suexec, which is suid root; fork1() increments the number
> of processes for root, unless RLIMIT_NPROC has been exceeded, in which
> case the fork fails with EAGAIN.
> 
> suexec calls then calls setuid() (before it calls execv), which
> decrements root's process count and increments the target user's process
> count, but RLIMIT_NPROC is not consulted, and voila, we've just exceeded
> the target user's maximum process count.

Apache is a bizarre environment, so you have to be careful:

1.  Generally root starts apache and it revokes privs down to the User
    specified in the config file.  

    Problem: Limits are inherited from the process parent, which is in
    this case root.  I believe there is a specific function all to request
    enforcement of new process limits for the user's class.

2.  Apache has config-file overrides for various resource limits.

    Problem: From #1 you may have set the soft limit higher than the
    intended hard limit for the user.

I hope this illuminates some of the issues.

Doug White                    |  FreeBSD: The Power to Serve
dwhite@resnet.uoregon.edu     |  www.FreeBSD.org



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message