From owner-freebsd-security  Tue Oct  2  3:14: 5 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (straylight.ringlet.net [217.75.134.254])
	by hub.freebsd.org (Postfix) with SMTP id 79D2E37B40A
	for <freebsd-security@freebsd.org>; Tue,  2 Oct 2001 03:13:59 -0700 (PDT)
Received: (qmail 10179 invoked by uid 1000); 2 Oct 2001 10:02:49 -0000
Date: Tue, 2 Oct 2001 13:02:49 +0300
From: Peter Pentchev <roam@ringlet.net>
To: D J Hawkey Jr <hawkeyd@visi.com>
Cc: Christian Kratzer <ck@cksoft.de>, freebsd-security@freebsd.org
Subject: Re: login.conf & FreeBSD 4.4
Message-ID: <20011002130249.B704@ringworld.oblivion.bg>
Mail-Followup-To: D J Hawkey Jr <hawkeyd@visi.com>,
	Christian Kratzer <ck@cksoft.de>, freebsd-security@freebsd.org
References: <200110020907.f9297d695258@sheol.localdomain> <Pine.LNX.4.33.0110020929530.7417-100000@localhost.cksoft.de> <20011002043927.A95391@sheol.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011002043927.A95391@sheol.localdomain>; from hawkeyd@visi.com on Tue, Oct 02, 2001 at 04:39:27AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, Oct 02, 2001 at 04:39:27AM -0500, D J Hawkey Jr wrote:
> On Oct 02, at 09:33 AM, Christian Kratzer wrote:
> > 
> > Hi,
> > 
> > On Tue, 2 Oct 2001, D J Hawkey Jr wrote:
> > 
> > > In article <Pine.LNX.4.33.0110020953290.6866-100000_localhost.cksoft.de@ns.sol.net>,
> > > 	ck@cksoft.de writes:
> > > >
> > > > If you are talking about cgi scripts run by apache you might want to
> > > > patch suexec to do this. There is nothgin in apache that would normally
> > > > set the requested privilidges.
> > > >
> > > > we added following to apache-x-x-x/src/support/suexec.c to actually
> > > > enforce setting of resource limits. There is nothing in apache that would
> > > > normally set these up for you.
> > > >
> > > > 	[SNIP]
> > >
> > > Reading between the lines, are you saying that any app "not from FreeBSD"
> > > running on FreeBSD isn't likely to be accounted for because they pro'lly
> > > don't set up limiting resources (by way of the C function you hacked in)?
> > >
> > > Badly phrased, I know, but you get my drift?
> > 
> > it's not as bad as you may think.
> > 
> > Any user logging in through the "usual" channels like sshd,telnetd,console,etc...
> > should get the limits automatically setup for them.
> 
> Running X apps remotely falls into the above group, I assume?
> 
> > We only need to patch applications like apache which start child processes
> > and use seteuid() to change their effective uid etc...  and are not aware of
> > the freebsd specific possibilities.
> 
> This make sense [to me], but Peter seems to disagree. Can either of you
> address the other's position?

I think Christian's right, and I'm sorry for the confusion which
my hasty reply brought :)  Of course the context needs only be set
once, when changing uid's.

G'luck,
Peter

-- 
What would this sentence be like if it weren't self-referential?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message