From owner-freebsd-current@FreeBSD.ORG Fri Jan 4 13:26:38 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B533416A417; Fri, 4 Jan 2008 13:26:38 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 85BAE13C45B; Fri, 4 Jan 2008 13:26:38 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id E8BBD4ADE5; Fri, 4 Jan 2008 08:26:37 -0500 (EST) Date: Fri, 4 Jan 2008 13:26:37 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= In-Reply-To: <86r6gxahwm.fsf@ds4.des.no> Message-ID: <20080104132437.U77222@fledge.watson.org> References: <477C82F0.5060809@freebsd.org> <863ateemw2.fsf@ds4.des.no> <20080104002002.L30578@fledge.watson.org> <86wsqqaqbe.fsf@ds4.des.no> <20080104110511.S77222@fledge.watson.org> <86r6gxahwm.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="621616949-307192972-1199453197=:77222" Cc: freebsd-current@freebsd.org, Jason Evans , Poul-Henning Kamp Subject: Re: sbrk(2) broken X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jan 2008 13:26:38 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --621616949-307192972-1199453197=:77222 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Fri, 4 Jan 2008, Dag-Erling Sm=F8rgrav wrote: > Robert Watson writes: >> Dag-Erling Sm=F8rgrav writes: >>> Robert Watson writes: >>>> The right answer is presumably to introduce a new LIMIT_SWAP, which=20 >>>> limits the allocation of anonymous memory by processes, and size it to= =20 >>>> something like 90% of swap space by default. >>> Not a good solution on its own. You need a per-process limit as well,= =20 >>> otherwise a malloc() bomb will still cause other processes to fail=20 >>> randomly. >> That was what I had in mind, the above should read RLIMIT_SWAP. > > You don't want the default to be so high. You want a low default, with t= he=20 > possibility for the admin to increase the limit for a particular user in= =20 > login.conf or similar without rebooting (which is currently not possible= =20 > since the default datasize =3D=3D maxdsiz, which can only be changed in t= he=20 > kernel config or loader.conf) I'm fine with also having global limits. > You may also want to have a collective limit for unprivileged users, so r= oot=20 > will still be able to log in if something goes wrong. This will presumably only work for console logins, as sshd (etc) will depen= d=20 on unprivileged users, but perhaps that is fine. I'm less concerned with t= he=20 details of the implementation or policy than that we simply be able to supp= ort=20 even a basic policy and have it configured by default to prevent=20 foot-shooting. Robert N M Watson Computer Laboratory University of Cambridge --621616949-307192972-1199453197=:77222--