From owner-freebsd-security Tue Oct 2 4: 0:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f145.pav1.hotmail.com [64.4.31.145]) by hub.freebsd.org (Postfix) with ESMTP id A87D337B403 for ; Tue, 2 Oct 2001 04:00:26 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 2 Oct 2001 04:00:26 -0700 Received: from 212.30.183.204 by pv1fd.pav1.hotmail.msn.com with HTTP; Tue, 02 Oct 2001 11:00:25 GMT X-Originating-IP: [212.30.183.204] From: "Magdalinin Kirill" To: ck@cksoft.de, simplyi@skif.net Cc: security@FreeBSD.ORG Subject: Re: Re: login.conf & FreeBSD 4.4 Date: Tue, 02 Oct 2001 15:00:25 +0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 02 Oct 2001 11:00:26.0545 (UTC) FILETIME=[71102A10:01C14B31] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I didn't find out why, but similar patch that was used on a busy web server on 4.1R box caused serious problems: cpu limits worked fine and did kill cgi's, but memory limits caused the server to stall, because child processes were not been killed when they reached their limit. These links might be helpfull: http://www.freebsd.org/cgi/query-pr.cgi?pr=13606 http://www.freebsd.org/cgi/getmsg.cgi?fetch=28683+32382+/usr/local/www/db/text/2000/freebsd-isp/20000806.freebsd-isp I tried them both, but as I said not for memory limiting P.S.: apache RLimit directives seem not to work Kirill Magdalinin magcyril@hotmail.com >From: Christian Kratzer >To: Igor Melnichuk >CC: >Subject: Re: login.conf & FreeBSD 4.4 >Date: Tue, 2 Oct 2001 09:59:12 +0200 (CEST) > >Hi, > >On Tue, 2 Oct 2001, Igor Melnichuk wrote: > > > I need advise. > > > > I have a server with installed FreeBSD 4.4 RELEASE . > > > > Limiting users I've created new class "webuser" in login.conf ( fixed >limit > > on resource - max mem usage, cpu time, core dump size) and do all >necessary > > steps (compile base `cap_mkdb /etc/login.conf` and assign new class to >user > > `chclass user1`) > > > > But in fact this _not_ works when I logged like user1 or run perl script > > (infinite loop) with his privileges. > > > > On machine with FreeBSD 4.3 RELEASE this works well (kernel kill script > > according to login.conf rules) > > > > Any ideas ? > > > > PS I've read FreeBSD 4.4-RELEASE Errata ( > > http://www.freebsd.org/releases/4.4R/errata.html ) 2 Security Advisories > > (Support for per-user ~/.login_conf files) I believe it has no relation >to > > problem > > > > login.conf > > -------------- > > webuser:\ > > :cputime=10s:\ > > :filesize=unlimited:\ > > :datasize=20M:\ > > :stacksize=20M:\ > > :coredumpsize=unlimited:\ > > :memoryuse=20M:\ > > :memorylocked=20M:\ > > :maxproc=20:\ > > :openfiles=20:\ > > :priority=0: > > --------------- > >If you are talking about cgi scripts run by apache you might want to >patch suexec to do this. There is nothgin in apache that would normally >set the requested privilidges. > >we added following to apache-x-x-x/src/support/suexec.c to actually >enforce setting of resource limits. There is nothing in apache that would >normally set these up for you. > > At the top after the includes > ---snipp--- > #include > > #ifdef __FreeBSD__ > # include > #endif > > #include "suexec.h" > ---snipp--- > > Further to the bottom shortly before setting the euid > ---snipp--- > #ifdef __FreeBSD__ > /* > * set resource limits from /etc/login.conf > * allows one to limit cpu and memory consumption by cgi's > */ > setclasscontext( "apache-suexec", LOGIN_SETRESOURCES|LOGIN_SETPRIORITY >); > #endif > > /* > * setuid() to the target user. Error out on fail. > */ > if ((setuid(uid)) != 0) { > log_err("emerg: failed to setuid (%ld: %s)\n", uid, cmd); > exit(110); > } > ---snipp--- > >Greetings >Christian > >-- >Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen >Email: ck@cksoft.de >Phone: +49 7452 889-135 >Fax: +49 7452 889-136 FreeBSD spoken here! > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message