On Wed, 30 Mar 2005, Wiktor wrote:
> my xmms problem is unimportant here, i've posted this thread to propose
> some new feature in filesystem, not to solve problem with multimedia player!
You don't need a solution if there is no problem.
> max renice ulimit is quite good idea, but it allows to change nice of
> *any* process user has permissions to.
In both of your examples (including the one below), the same thing
applies.
> it could be implemented also, but
> the idea of 'nice' file attribute is to allow *only* some process be
> run with lower nice. what's more, that nice would be *always* the same
> (at process startup)!
> example:
> web server runs as user www. it spawns perl interpreter that root wants
> to be run with lower nice, but he doesn't want to allow 'www' user to
> renice *any* process (for eg. this user is shared with webmaster, and
> webmaster is malicious person; i know, the webmaster could have another
> accout, but maybe for some file-ownership reasons, root doesn't want to
> create special account for him).
chown root.root /usr/local/cgi-bin/somescript
chmod 755 /usr/local/cgi-bin/somescript
---/etc/su1.priv---
alias somescript /usr/bin/nice -n -5 su wwwrun -- exec
/usr/local/cgi-bin/somescript.pl
ask never
allow wwwrun prefix somescript
---
ln -s /usr/bin/su1 /srv/wwwroot/cgi-bin/somescript
If you need the same command for a group of users, you can use a wrapper
scritp that will look at the $HOME variable (which is set from
/etc/passwd)
> in this situation, setting nice-attribute for /usr/bin/perl solves the
> problem.
perl -e'exec("/bin/sh");' would grant nice privileges to anybody, and
that's not nice!
> remember, that this feature would also provide an easy way to
> increase nice level.
Not for running processes.
> it can be done with shell script, but setting nice
> value in file attributes is cleaner and easier to manage.
Obviously not.
--
Top 100 things you don't want the sysadmin to say:
35. Ummm... Didn't you say you turned it off?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
