From owner-freebsd-security Tue Oct 2 1: 0:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.cksoft.de (ns1.cksoft.de [62.111.66.1]) by hub.freebsd.org (Postfix) with ESMTP id D794337B405 for ; Tue, 2 Oct 2001 01:00:34 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by ns1.cksoft.de (Postfix) with ESMTP id 38A0814F9B; Tue, 2 Oct 2001 10:02:58 +0200 (CEST) Received: by ns1.cksoft.de (Postfix, from userid 66) id 1591C14F95; Tue, 2 Oct 2001 10:02:57 +0200 (CEST) Received: by hirvi.cksoft.de (Postfix, from userid 1000) id 6060F8798; Tue, 2 Oct 2001 09:59:12 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by hirvi.cksoft.de (Postfix) with ESMTP id 5DD0277B2; Tue, 2 Oct 2001 09:59:12 +0200 (CEST) Date: Tue, 2 Oct 2001 09:59:12 +0200 (CEST) From: Christian Kratzer To: Igor Melnichuk Cc: Subject: Re: login.conf & FreeBSD 4.4 In-Reply-To: <004701c14b0c$ce44f140$45e03ac3@skif.net> Message-ID: X-Spammer-Kill-Ratio: 75% X-Jihad: Will hunt down all cases of Spam and Net abuse. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, On Tue, 2 Oct 2001, Igor Melnichuk wrote: > I need advise. > > I have a server with installed FreeBSD 4.4 RELEASE . > > Limiting users I've created new class "webuser" in login.conf ( fixed limit > on resource - max mem usage, cpu time, core dump size) and do all necessary > steps (compile base `cap_mkdb /etc/login.conf` and assign new class to user > `chclass user1`) > > But in fact this _not_ works when I logged like user1 or run perl script > (infinite loop) with his privileges. > > On machine with FreeBSD 4.3 RELEASE this works well (kernel kill script > according to login.conf rules) > > Any ideas ? > > PS I've read FreeBSD 4.4-RELEASE Errata ( > http://www.freebsd.org/releases/4.4R/errata.html ) 2 Security Advisories > (Support for per-user ~/.login_conf files) I believe it has no relation to > problem > > login.conf > -------------- > webuser:\ > :cputime=10s:\ > :filesize=unlimited:\ > :datasize=20M:\ > :stacksize=20M:\ > :coredumpsize=unlimited:\ > :memoryuse=20M:\ > :memorylocked=20M:\ > :maxproc=20:\ > :openfiles=20:\ > :priority=0: > --------------- If you are talking about cgi scripts run by apache you might want to patch suexec to do this. There is nothgin in apache that would normally set the requested privilidges. we added following to apache-x-x-x/src/support/suexec.c to actually enforce setting of resource limits. There is nothing in apache that would normally set these up for you. At the top after the includes ---snipp--- #include #ifdef __FreeBSD__ # include #endif #include "suexec.h" ---snipp--- Further to the bottom shortly before setting the euid ---snipp--- #ifdef __FreeBSD__ /* * set resource limits from /etc/login.conf * allows one to limit cpu and memory consumption by cgi's */ setclasscontext( "apache-suexec", LOGIN_SETRESOURCES|LOGIN_SETPRIORITY ); #endif /* * setuid() to the target user. Error out on fail. */ if ((setuid(uid)) != 0) { log_err("emerg: failed to setuid (%ld: %s)\n", uid, cmd); exit(110); } ---snipp--- Greetings Christian -- Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Fax: +49 7452 889-136 FreeBSD spoken here! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message