Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 17 Mar 2001 17:46:41 +0100
From:      Gerhard Sittig <Gerhard.Sittig@gmx.net>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: Multiple vendors FTP denial of service
Message-ID:  <20010317174640.F20830@speedy.gsinet>
In-Reply-To: <Pine.BSF.4.33.0103170911190.10083-100000@husten.security.at12.de>; from pherman@frenchfries.net on Sat, Mar 17, 2001 at 11:40:36AM %2B0100
References:  <20010316213716.D20830@speedy.gsinet> <Pine.BSF.4.33.0103170911190.10083-100000@husten.security.at12.de>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 17, 2001 at 11:40 +0100, Paul Herman wrote:
> 
> The reality that only a select few daemons use /etc/login.conf
> is admittedly counter-intuitive.  Perhaps this is more of a job
> for TrustedBSD's MAC policies, but it Would Be Nice if resource
> limits were set along with (e)uid.  What do others think?
> 
> Like I said, this could be done by wraping setusercontext()
> into setuid(), but it starts to get yucky when mixing userland
> login_cap functions with a system call.  I'd be willing to come
> up with a patch for this, if it weren't so darn ugly.
> 
> Would there be a cleaner way to do this?

Until there's an aggreed upon and clean solution, would a comment
at the top of /etc/login.conf raise attention?  Maybe with
additional pointers to alternative solutions (wrapper scripts
with ulimit(builtin) and softlimit(1), accompanying setrlimit(2)
calls next to setuid(2) calls)?

--- login.conf  2001/03/17 16:39:33     1.1
+++ login.conf  2001/03/17 16:40:55
@@ -6,6 +6,8 @@
 #
 # This file controls resource limits, accounting limits and
 # default user environment settings.
+# Keep in mind that settings might not always be obeyed
+# when daemons change their identity by means of setuid(2) et al.
 #
 # $FreeBSD: src/etc/login.conf,v 1.34.2.2 2000/06/02 20:53:55 alfred Exp $
 #


virtually yours   82D1 9B9C 01DC 4FB4 D7B4  61BE 3F49 4F77 72DE DA76
Gerhard Sittig   true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
-- 
     If you don't understand or are scared by any of the above
             ask your parents or an adult to help you.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010317174640.F20830>