Date: Thu, 05 Aug 1999 10:55:14 -0700 From: Mike Smith <mike@smith.net.au> To: Doug <Doug@gorean.org> Cc: freebsd-hackers@freebsd.org Subject: Re: login.conf restrictions for suid processes possible? (fwd) Message-ID: <199908051755.KAA13017@dingo.cdrom.com> In-Reply-To: Your message of "Thu, 05 Aug 1999 10:53:37 PDT." <Pine.BSF.4.05.9908051052410.847-100000@dt011n65.san.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I am working on some resource limit stuff and would like to be > able to use login.conf to restrict the number of cgi processes that > certain users can run. Unfortunately, the proprietary cgi product we use > is owned by root and suid's to the user who owns the script that it is > called to run. (This is not what I would call a "good idea," but it's what > I have to work with.) > > I've created a login class with the appropriate permissions, and > if I put a test user in that class and test its limits with normal system > processes (like ls, sleep, etc.) it follows all the rules. However when I > start miva (proprietary cgi) processes for scripts owned by that user, it > ignores the limits, presumably because the process starts its life as > root. > > Soooo, the question is, how can I do what I want to do, and if I > can't do it with login.conf does anyone have any other suggestions? > Specifically I need to restrict the amount of ram and the number of > processes on a per user basis. I'm working on a -current system, but I > don't think this issue bears directly on -current. You need to pester the vendor to correctly switch limits when they switch UIDs. Alternatively, if this is unlikely _and_ the application is dynamically linked, you could produce a library containing patched set*id functions and force it into the app using LD_PRELOAD. -- \\ The mind's the standard \\ Mike Smith \\ of the man. \\ msmith@freebsd.org \\ -- Joseph Merrick \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908051755.KAA13017>