From owner-freebsd-hackers  Thu Aug  5 12:29:45 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from dt011n65.san.rr.com (dt011n65.san.rr.com [204.210.13.101])
	by hub.freebsd.org (Postfix) with ESMTP id 35DC014D7C
	for <hackers@freebsd.org>; Thu,  5 Aug 1999 12:29:42 -0700 (PDT)
	(envelope-from Doug@gorean.org)
Received: from localhost (doug@localhost)
	by dt011n65.san.rr.com (8.8.8/8.8.8) with ESMTP id MAA01877;
	Thu, 5 Aug 1999 12:29:07 -0700 (PDT)
	(envelope-from Doug@gorean.org)
Date: Thu, 5 Aug 1999 12:29:07 -0700 (PDT)
From: Doug <Doug@gorean.org>
X-Sender: doug@dt011n65.san.rr.com
To: John Polstra <jdp@polstra.com>
Cc: mike@smith.net.au, hackers@freebsd.org
Subject: Re: login.conf restrictions for suid processes possible? (fwd) 
In-Reply-To: <199908051813.LAA04237@vashon.polstra.com>
Message-ID: <Pine.BSF.4.05.9908051225510.1799-100000@dt011n65.san.rr.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, 5 Aug 1999, John Polstra wrote:

> In article <199908051755.KAA13017@dingo.cdrom.com>,
> Mike Smith  <mike@smith.net.au> wrote:
> > > 	I am working on some resource limit stuff and would like to be
> > > able to use login.conf to restrict the number of cgi processes that
> > > certain users can run. Unfortunately, the proprietary cgi product we use
> > > is owned by root and suid's to the user who owns the script that it is
> > > called to run. (This is not what I would call a "good idea," but it's what
> > > I have to work with.)
> [...]
> > You need to pester the vendor to correctly switch limits when they 
> > switch UIDs.
> > 
> > Alternatively, if this is unlikely _and_ the application is dynamically 
> > linked, you could produce a library containing patched set*id functions 
> > and force it into the app using LD_PRELOAD. 
> 
> N.B., LD_PRELOAD won't work if the program is setuid or setgid.  I'm
> not 100% sure from the original post whether that's the case or not.

	Yes, the program is owned by root, has permissions -rwsr-xr-t and
suid's to the user who owns the script it's called to run. I'm aware that
the sticky bit is ignored on BSD for executables, but that's how it comes
from the vendor so my boss doesn't want to mess with it.

Thanks,

Doug
-- 
On account of being a democracy and run by the people, we are the only
nation in the world that has to keep a government four years, no matter
what it does.
                -- Will Rogers



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message