On Thu, 5 Aug 1999, Mike Smith wrote:
> > I am working on some resource limit stuff and would like to be
> > able to use login.conf to restrict the number of cgi processes that
> > certain users can run. Unfortunately, the proprietary cgi product we use
> > is owned by root and suid's to the user who owns the script that it is
> > called to run. (This is not what I would call a "good idea," but it's what
> > I have to work with.)
> >
> > I've created a login class with the appropriate permissions, and
> > if I put a test user in that class and test its limits with normal system
> > processes (like ls, sleep, etc.) it follows all the rules. However when I
> > start miva (proprietary cgi) processes for scripts owned by that user, it
> > ignores the limits, presumably because the process starts its life as
> > root.
> >
> > Soooo, the question is, how can I do what I want to do, and if I
> > can't do it with login.conf does anyone have any other suggestions?
> > Specifically I need to restrict the amount of ram and the number of
> > processes on a per user basis. I'm working on a -current system, but I
> > don't think this issue bears directly on -current.
>
> You need to pester the vendor to correctly switch limits when they
> switch UIDs.
>
> Alternatively, if this is unlikely _and_ the application is dynamically
> linked, you could produce a library containing patched set*id functions
> and force it into the app using LD_PRELOAD.
Grrrfl. Ok, that's what I thought, but I do appreciate the
confirmation. We have a pretty good relationship with the vendor so I'll
take that route first.
Thanks,
Doug
--
On account of being a democracy and run by the people, we are the only
nation in the world that has to keep a government four years, no matter
what it does.
-- Will Rogers
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
