From owner-freebsd-hackers  Thu Aug  5 11:15:15 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from wall.polstra.com (rtrwan160.accessone.com [206.213.115.74])
	by hub.freebsd.org (Postfix) with ESMTP id D8384154E6
	for <hackers@freebsd.org>; Thu,  5 Aug 1999 11:15:10 -0700 (PDT)
	(envelope-from jdp@polstra.com)
Received: from vashon.polstra.com (vashon.polstra.com [206.213.73.13])
	by wall.polstra.com (8.9.3/8.9.1) with ESMTP id LAA25555;
	Thu, 5 Aug 1999 11:13:58 -0700 (PDT)
	(envelope-from jdp@polstra.com)
From: John Polstra <jdp@polstra.com>
Received: (from jdp@localhost)
	by vashon.polstra.com (8.9.3/8.9.1) id LAA04237;
	Thu, 5 Aug 1999 11:13:57 -0700 (PDT)
	(envelope-from jdp@polstra.com)
Date: Thu, 5 Aug 1999 11:13:57 -0700 (PDT)
Message-Id: <199908051813.LAA04237@vashon.polstra.com>
To: mike@smith.net.au
Subject: Re: login.conf restrictions for suid processes possible? (fwd) 
In-Reply-To: <199908051755.KAA13017@dingo.cdrom.com>
Organization: Polstra & Co., Seattle, WA
Cc: hackers@freebsd.org
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In article <199908051755.KAA13017@dingo.cdrom.com>,
Mike Smith  <mike@smith.net.au> wrote:
> > 	I am working on some resource limit stuff and would like to be
> > able to use login.conf to restrict the number of cgi processes that
> > certain users can run. Unfortunately, the proprietary cgi product we use
> > is owned by root and suid's to the user who owns the script that it is
> > called to run. (This is not what I would call a "good idea," but it's what
> > I have to work with.)
[...]
> You need to pester the vendor to correctly switch limits when they 
> switch UIDs.
> 
> Alternatively, if this is unlikely _and_ the application is dynamically 
> linked, you could produce a library containing patched set*id functions 
> and force it into the app using LD_PRELOAD. 

N.B., LD_PRELOAD won't work if the program is setuid or setgid.  I'm
not 100% sure from the original post whether that's the case or not.

John
-- 
  John Polstra                                               jdp@polstra.com
  John D. Polstra & Co., Inc.                        Seattle, Washington USA
  "No matter how cynical I get, I just can't keep up."        -- Nora Ephron


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message