Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 5 Aug 1999 12:21:56 -0700 (PDT)
From:      Doug <Doug@gorean.org>
To:        Mike Smith <mike@smith.net.au>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: login.conf restrictions for suid processes possible? (fwd) 
Message-ID:  <Pine.BSF.4.05.9908051220350.1799-100000@dt011n65.san.rr.com>
In-Reply-To: <199908051755.KAA13017@dingo.cdrom.com>
index | next in thread | previous in thread | raw e-mail 

On Thu, 5 Aug 1999, Mike Smith wrote:

> > 	I am working on some resource limit stuff and would like to be
> > able to use login.conf to restrict the number of cgi processes that
> > certain users can run. Unfortunately, the proprietary cgi product we use
> > is owned by root and suid's to the user who owns the script that it is
> > called to run. (This is not what I would call a "good idea," but it's what
> > I have to work with.)
> > 
> > 	I've created a login class with the appropriate permissions, and
> > if I put a test user in that class and test its limits with normal system
> > processes (like ls, sleep, etc.) it follows all the rules. However when I
> > start miva (proprietary cgi) processes for scripts owned by that user, it
> > ignores the limits, presumably because the process starts its life as
> > root. 
> > 
> > 	Soooo, the question is, how can I do what I want to do, and if I
> > can't do it with login.conf does anyone have any other suggestions?
> > Specifically I need to restrict the amount of ram and the number of
> > processes on a per user basis. I'm working on a -current system, but I
> > don't think this issue bears directly on -current. 
> 
> You need to pester the vendor to correctly switch limits when they 
> switch UIDs.
> 
> Alternatively, if this is unlikely _and_ the application is dynamically 
> linked, you could produce a library containing patched set*id functions 
> and force it into the app using LD_PRELOAD. 

	Grrrfl. Ok, that's what I thought, but I do appreciate the
confirmation. We have a pretty good relationship with the vendor so I'll
take that route first. 

Thanks,

Doug
-- 
On account of being a democracy and run by the people, we are the only
nation in the world that has to keep a government four years, no matter
what it does.
                -- Will Rogers



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9908051220350.1799-100000>