Date: Tue, 2 Oct 2001 04:39:27 -0500 From: D J Hawkey Jr <hawkeyd@visi.com> To: Christian Kratzer <ck@cksoft.de>, freebsd-security@freebsd.org Cc: Peter Pentchev <roam@ringlet.net> Subject: Re: login.conf & FreeBSD 4.4 Message-ID: <20011002043927.A95391@sheol.localdomain> In-Reply-To: <Pine.LNX.4.33.0110020929530.7417-100000@localhost.cksoft.de>; from ck@cksoft.de on Tue, Oct 02, 2001 at 09:33:31AM %2B0200 References: <200110020907.f9297d695258@sheol.localdomain> <Pine.LNX.4.33.0110020929530.7417-100000@localhost.cksoft.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Oct 02, at 09:33 AM, Christian Kratzer wrote: > > Hi, > > On Tue, 2 Oct 2001, D J Hawkey Jr wrote: > > > In article <Pine.LNX.4.33.0110020953290.6866-100000_localhost.cksoft.de@ns.sol.net>, > > ck@cksoft.de writes: > > > > > > If you are talking about cgi scripts run by apache you might want to > > > patch suexec to do this. There is nothgin in apache that would normally > > > set the requested privilidges. > > > > > > we added following to apache-x-x-x/src/support/suexec.c to actually > > > enforce setting of resource limits. There is nothing in apache that would > > > normally set these up for you. > > > > > > [SNIP] > > > > Reading between the lines, are you saying that any app "not from FreeBSD" > > running on FreeBSD isn't likely to be accounted for because they pro'lly > > don't set up limiting resources (by way of the C function you hacked in)? > > > > Badly phrased, I know, but you get my drift? > > it's not as bad as you may think. > > Any user logging in through the "usual" channels like sshd,telnetd,console,etc... > should get the limits automatically setup for them. Running X apps remotely falls into the above group, I assume? > We only need to patch applications like apache which start child processes > and use seteuid() to change their effective uid etc... and are not aware of > the freebsd specific possibilities. This make sense [to me], but Peter seems to disagree. Can either of you address the other's position? > Greetings > Christian Thanks, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011002043927.A95391>