Date: Sat, 17 Mar 2001 17:46:41 +0100 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: freebsd-security@FreeBSD.ORG Subject: Re: Multiple vendors FTP denial of service Message-ID: <20010317174640.F20830@speedy.gsinet> In-Reply-To: <Pine.BSF.4.33.0103170911190.10083-100000@husten.security.at12.de>; from pherman@frenchfries.net on Sat, Mar 17, 2001 at 11:40:36AM %2B0100 References: <20010316213716.D20830@speedy.gsinet> <Pine.BSF.4.33.0103170911190.10083-100000@husten.security.at12.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 17, 2001 at 11:40 +0100, Paul Herman wrote:
>
> The reality that only a select few daemons use /etc/login.conf
> is admittedly counter-intuitive. Perhaps this is more of a job
> for TrustedBSD's MAC policies, but it Would Be Nice if resource
> limits were set along with (e)uid. What do others think?
>
> Like I said, this could be done by wraping setusercontext()
> into setuid(), but it starts to get yucky when mixing userland
> login_cap functions with a system call. I'd be willing to come
> up with a patch for this, if it weren't so darn ugly.
>
> Would there be a cleaner way to do this?
Until there's an aggreed upon and clean solution, would a comment
at the top of /etc/login.conf raise attention? Maybe with
additional pointers to alternative solutions (wrapper scripts
with ulimit(builtin) and softlimit(1), accompanying setrlimit(2)
calls next to setuid(2) calls)?
--- login.conf 2001/03/17 16:39:33 1.1
+++ login.conf 2001/03/17 16:40:55
@@ -6,6 +6,8 @@
#
# This file controls resource limits, accounting limits and
# default user environment settings.
+# Keep in mind that settings might not always be obeyed
+# when daemons change their identity by means of setuid(2) et al.
#
# $FreeBSD: src/etc/login.conf,v 1.34.2.2 2000/06/02 20:53:55 alfred Exp $
#
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010317174640.F20830>