Date: Tue, 2 Oct 2001 09:33:31 +0200 (CEST) From: Christian Kratzer <ck@cksoft.de> To: D J Hawkey Jr <hawkeyd@visi.com> Cc: <freebsd-security@freebsd.org> Subject: Re: login.conf & FreeBSD 4.4 Message-ID: <Pine.LNX.4.33.0110020929530.7417-100000@localhost.cksoft.de> In-Reply-To: <200110020907.f9297d695258@sheol.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Tue, 2 Oct 2001, D J Hawkey Jr wrote: > In article <Pine.LNX.4.33.0110020953290.6866-100000_localhost.cksoft.de@ns.sol.net>, > ck@cksoft.de writes: > > > > If you are talking about cgi scripts run by apache you might want to > > patch suexec to do this. There is nothgin in apache that would normally > > set the requested privilidges. > > > > we added following to apache-x-x-x/src/support/suexec.c to actually > > enforce setting of resource limits. There is nothing in apache that would > > normally set these up for you. > > > > [SNIP] > > Reading between the lines, are you saying that any app "not from FreeBSD" > running on FreeBSD isn't likely to be accounted for because they pro'lly > don't set up limiting resources (by way of the C function you hacked in)? > > Badly phrased, I know, but you get my drift? it's not as bad as you may think. Any user logging in through the "usual" channels like sshd,telnetd,console,etc... should get the limits automatically setup for them. We only need to patch applications like apache which start child processes and use seteuid() to change their effective uid etc... and are not aware of the freebsd specific possibilities. Of course it would now be nice if someone would get the apache group to add an #ifdef FreeBSD to the suexec code. Of the top of my head I cannot think of any other applications in the isp area that would require similar manual intervention. Greetings Christian -- Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Fax: +49 7452 889-136 FreeBSD spoken here! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.33.0110020929530.7417-100000>