From owner-freebsd-hackers Thu Aug 5 12:22:19 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from dt011n65.san.rr.com (dt011n65.san.rr.com [204.210.13.101]) by hub.freebsd.org (Postfix) with ESMTP id 0D61F14D41 for ; Thu, 5 Aug 1999 12:22:10 -0700 (PDT) (envelope-from Doug@gorean.org) Received: from localhost (doug@localhost) by dt011n65.san.rr.com (8.8.8/8.8.8) with ESMTP id MAA01819; Thu, 5 Aug 1999 12:21:56 -0700 (PDT) (envelope-from Doug@gorean.org) Date: Thu, 5 Aug 1999 12:21:56 -0700 (PDT) From: Doug X-Sender: doug@dt011n65.san.rr.com To: Mike Smith Cc: freebsd-hackers@freebsd.org Subject: Re: login.conf restrictions for suid processes possible? (fwd) In-Reply-To: <199908051755.KAA13017@dingo.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 5 Aug 1999, Mike Smith wrote: > > I am working on some resource limit stuff and would like to be > > able to use login.conf to restrict the number of cgi processes that > > certain users can run. Unfortunately, the proprietary cgi product we use > > is owned by root and suid's to the user who owns the script that it is > > called to run. (This is not what I would call a "good idea," but it's what > > I have to work with.) > > > > I've created a login class with the appropriate permissions, and > > if I put a test user in that class and test its limits with normal system > > processes (like ls, sleep, etc.) it follows all the rules. However when I > > start miva (proprietary cgi) processes for scripts owned by that user, it > > ignores the limits, presumably because the process starts its life as > > root. > > > > Soooo, the question is, how can I do what I want to do, and if I > > can't do it with login.conf does anyone have any other suggestions? > > Specifically I need to restrict the amount of ram and the number of > > processes on a per user basis. I'm working on a -current system, but I > > don't think this issue bears directly on -current. > > You need to pester the vendor to correctly switch limits when they > switch UIDs. > > Alternatively, if this is unlikely _and_ the application is dynamically > linked, you could produce a library containing patched set*id functions > and force it into the app using LD_PRELOAD. Grrrfl. Ok, that's what I thought, but I do appreciate the confirmation. We have a pretty good relationship with the vendor so I'll take that route first. Thanks, Doug -- On account of being a democracy and run by the people, we are the only nation in the world that has to keep a government four years, no matter what it does. -- Will Rogers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message