From owner-freebsd-security  Thu Aug 23 11:54:20 2001
Delivered-To: freebsd-security@freebsd.org
Received: from designcurve.net (cc131689-a.chmchl1.ca.home.com [65.12.101.48])
	by hub.freebsd.org (Postfix) with SMTP id D320837B40C
	for <freebsd-security@freebsd.org>; Thu, 23 Aug 2001 11:54:08 -0700 (PDT)
	(envelope-from shannon@designcurve.net)
Received: (qmail 22714 invoked from network); 23 Aug 2001 18:53:50 -0000
Received: from mail.needhams.com (HELO shannon) (209.63.39.71)
  by 192.168.10.25 with SMTP; 23 Aug 2001 18:53:50 -0000
Message-ID: <003b01c12c05$d2e89100$3303a8c0@needhams.com>
From: "Shannon Johnson" <shannon@designcurve.net>
To: <freebsd-security@freebsd.org>
Cc: "Alexey Zakirov" <frank@agava.com>
References: <Pine.BSF.4.32.0108232240021.47648-100000@hellbell.domain>
Subject: Re: jail & security
Date: Thu, 23 Aug 2001 12:00:05 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2615.200
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> On Thu, 23 Aug 2001, Alexey Zakirov wrote:
>
> > > yourself from destroying a system (e.g. read only file system, setting
the
> > > system immutable flag, etc.)
> > >
> > > Remind me to never give you a shell account.
> >
> > Alexey is wrong in stating 'You CAN'T limit whole jail limits.' you
> > actually can given the right patches to the jail subsystem. :)
>
> Am I wrong? Can you setup jail that limits his CPU/MEM for particular
> jail?

Yes, infact you are incorrect. I have set up literally dozens of jails both
at home and work. Through this I have experimented with allot of
configurations, including login classes.

One way that I tested this out was to write a simple c program to test that
the cpu/memory limits were being properly limited by login.conf. Here tis...

int main(void) {
  while(1) malloc(100);
}

This is obviously required allot of  memory/CPU. But it proved my point.

By the way, where are the patches that you referred to earlier.

---
Shannon




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message