On 02/02/2012 02:46 PM, Jeroen Ooms wrote: > On Thu, Feb 2, 2012 at 2:07 PM, Seth Arnold <[email protected]> wrote: > >> For your example of nproc 1 for a site, your server would get a single >> process to handle all incoming and outgoing traffic on all sites hosted on >> that server -- the root-owned master process doesn't handle any traffic. > > Hmmm that is all a bit concerning. So in my application users are > pretty much allowed to push custom code for our scientific program. > The program needs some basic forking/shell functionality. Is there any > way I can prevent a single user from fork-bombing or running too many > parallel shell scripts, etc? >
via apparmor, with it being tied to a profile. Not yet, it is one item I am hoping to get to in the next cycle of dev. However if you are willing to step outside of apparmor then their may be some hope, though it will take some setup. The linux kernel has something called cgroups, which is what we are planning on tying apparmor profiles into. They are also leverage by other projects like lxc http://www.mjmwired.net/kernel/Documentation/cgroups.txt http://en.wikipedia.org/wiki/Cgroups -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
