From owner-freebsd-security  Tue Oct  2  2:39:38 2001
Delivered-To: freebsd-security@freebsd.org
Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100])
	by hub.freebsd.org (Postfix) with ESMTP id 4538137B406
	for <freebsd-security@freebsd.org>; Tue,  2 Oct 2001 02:39:33 -0700 (PDT)
Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193])
	by brea.mc.mpls.visi.com (Postfix) with ESMTP
	id 4748D2DDBA2; Tue,  2 Oct 2001 04:39:31 -0500 (CDT)
Received: (from hawkeyd@localhost)
	by sheol.localdomain (8.11.1/8.11.1) id f929dRu95431;
	Tue, 2 Oct 2001 04:39:27 -0500 (CDT)
	(envelope-from hawkeyd)
Date: Tue, 2 Oct 2001 04:39:27 -0500
From: D J Hawkey Jr <hawkeyd@visi.com>
To: Christian Kratzer <ck@cksoft.de>, freebsd-security@freebsd.org
Cc: Peter Pentchev <roam@ringlet.net>
Subject: Re: login.conf & FreeBSD 4.4
Message-ID: <20011002043927.A95391@sheol.localdomain>
Reply-To: hawkeyd@visi.com
References: <200110020907.f9297d695258@sheol.localdomain> <Pine.LNX.4.33.0110020929530.7417-100000@localhost.cksoft.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.LNX.4.33.0110020929530.7417-100000@localhost.cksoft.de>; from ck@cksoft.de on Tue, Oct 02, 2001 at 09:33:31AM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Oct 02, at 09:33 AM, Christian Kratzer wrote:
> 
> Hi,
> 
> On Tue, 2 Oct 2001, D J Hawkey Jr wrote:
> 
> > In article <Pine.LNX.4.33.0110020953290.6866-100000_localhost.cksoft.de@ns.sol.net>,
> > 	ck@cksoft.de writes:
> > >
> > > If you are talking about cgi scripts run by apache you might want to
> > > patch suexec to do this. There is nothgin in apache that would normally
> > > set the requested privilidges.
> > >
> > > we added following to apache-x-x-x/src/support/suexec.c to actually
> > > enforce setting of resource limits. There is nothing in apache that would
> > > normally set these up for you.
> > >
> > > 	[SNIP]
> >
> > Reading between the lines, are you saying that any app "not from FreeBSD"
> > running on FreeBSD isn't likely to be accounted for because they pro'lly
> > don't set up limiting resources (by way of the C function you hacked in)?
> >
> > Badly phrased, I know, but you get my drift?
> 
> it's not as bad as you may think.
> 
> Any user logging in through the "usual" channels like sshd,telnetd,console,etc...
> should get the limits automatically setup for them.

Running X apps remotely falls into the above group, I assume?

> We only need to patch applications like apache which start child processes
> and use seteuid() to change their effective uid etc...  and are not aware of
> the freebsd specific possibilities.

This make sense [to me], but Peter seems to disagree. Can either of you
address the other's position?

> Greetings
> Christian

Thanks,
Dave

-- 
  ______________________                         ______________________
  \__________________   \    D. J. HAWKEY JR.   /   __________________/
     \________________/\     hawkeyd@visi.com    /\________________/
                      http://www.visi.com/~hawkeyd/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message