From owner-freebsd-hackers Thu Aug 5 11: 3:10 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from dingo.cdrom.com (dingo.cdrom.com [204.216.28.145]) by hub.freebsd.org (Postfix) with ESMTP id 44FFB15176 for ; Thu, 5 Aug 1999 11:03:05 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Received: from dingo.cdrom.com (localhost.cdrom.com [127.0.0.1]) by dingo.cdrom.com (8.9.3/8.8.8) with ESMTP id KAA13017; Thu, 5 Aug 1999 10:55:14 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Message-Id: <199908051755.KAA13017@dingo.cdrom.com> X-Mailer: exmh version 2.0.2 2/24/98 To: Doug Cc: freebsd-hackers@freebsd.org Subject: Re: login.conf restrictions for suid processes possible? (fwd) In-reply-to: Your message of "Thu, 05 Aug 1999 10:53:37 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 05 Aug 1999 10:55:14 -0700 From: Mike Smith Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > I am working on some resource limit stuff and would like to be > able to use login.conf to restrict the number of cgi processes that > certain users can run. Unfortunately, the proprietary cgi product we use > is owned by root and suid's to the user who owns the script that it is > called to run. (This is not what I would call a "good idea," but it's what > I have to work with.) > > I've created a login class with the appropriate permissions, and > if I put a test user in that class and test its limits with normal system > processes (like ls, sleep, etc.) it follows all the rules. However when I > start miva (proprietary cgi) processes for scripts owned by that user, it > ignores the limits, presumably because the process starts its life as > root. > > Soooo, the question is, how can I do what I want to do, and if I > can't do it with login.conf does anyone have any other suggestions? > Specifically I need to restrict the amount of ram and the number of > processes on a per user basis. I'm working on a -current system, but I > don't think this issue bears directly on -current. You need to pester the vendor to correctly switch limits when they switch UIDs. Alternatively, if this is unlikely _and_ the application is dynamically linked, you could produce a library containing patched set*id functions and force it into the app using LD_PRELOAD. -- \\ The mind's the standard \\ Mike Smith \\ of the man. \\ msmith@freebsd.org \\ -- Joseph Merrick \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message