From owner-freebsd-security  Tue Oct  2  2:28:35 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.cksoft.de (ns1.cksoft.de [62.111.66.1])
	by hub.freebsd.org (Postfix) with ESMTP id 85EEA37B408
	for <freebsd-security@freebsd.org>; Tue,  2 Oct 2001 02:28:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by ns1.cksoft.de (Postfix) with ESMTP
	id 00B9314F9B; Tue,  2 Oct 2001 11:30:51 +0200 (CEST)
Received: by ns1.cksoft.de (Postfix, from userid 66)
	id D5F3B14F95; Tue,  2 Oct 2001 11:30:49 +0200 (CEST)
Received: by hirvi.cksoft.de (Postfix, from userid 1000)
	id C027D8798; Tue,  2 Oct 2001 09:33:31 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by hirvi.cksoft.de (Postfix) with ESMTP
	id BE60F77B2; Tue,  2 Oct 2001 09:33:31 +0200 (CEST)
Date: Tue, 2 Oct 2001 09:33:31 +0200 (CEST)
From: Christian Kratzer <ck@cksoft.de>
To: D J Hawkey Jr <hawkeyd@visi.com>
Cc: <freebsd-security@freebsd.org>
Subject: Re: login.conf & FreeBSD 4.4
In-Reply-To: <200110020907.f9297d695258@sheol.localdomain>
Message-ID: <Pine.LNX.4.33.0110020929530.7417-100000@localhost.cksoft.de>
X-Spammer-Kill-Ratio: 75%
X-Jihad: Will hunt down all cases of Spam and Net abuse.
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Virus-Scanned: by AMaViS perl-11
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hi,

On Tue, 2 Oct 2001, D J Hawkey Jr wrote:

> In article <Pine.LNX.4.33.0110020953290.6866-100000_localhost.cksoft.de@ns.sol.net>,
> 	ck@cksoft.de writes:
> >
> > If you are talking about cgi scripts run by apache you might want to
> > patch suexec to do this. There is nothgin in apache that would normally
> > set the requested privilidges.
> >
> > we added following to apache-x-x-x/src/support/suexec.c to actually
> > enforce setting of resource limits. There is nothing in apache that would
> > normally set these up for you.
> >
> > 	[SNIP]
>
> Reading between the lines, are you saying that any app "not from FreeBSD"
> running on FreeBSD isn't likely to be accounted for because they pro'lly
> don't set up limiting resources (by way of the C function you hacked in)?
>
> Badly phrased, I know, but you get my drift?

it's not as bad as you may think.

Any user logging in through the "usual" channels like sshd,telnetd,console,etc...
should get the limits automatically setup for them.

We only need to patch applications like apache which start child processes
and use seteuid() to change their effective uid etc...  and are not aware of
the freebsd specific possibilities.

Of course it would now be nice if someone would get the apache group to
add an #ifdef FreeBSD to the suexec code.

Of the top of my head I cannot think of any other applications in the isp area
that would require similar manual intervention.

Greetings
Christian


-- 
Christian Kratzer,		Schwarzwaldstr. 31, 71131 Jettingen
Email:	ck@cksoft.de
Phone: 	+49 7452 889-135
Fax: 	+49 7452 889-136	FreeBSD spoken here!


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message