bugtraq wrote:
> Искам да попитам ви попитам за начин да наложа total memory limit на даден
> процес
> (в случая daemon) под Linux. limits.conf и ulimit не вършат работа защотото
> се ограниченията
> влизат в действие след като user-а се логне но не и когато се пусне като
> root и си дропне привилегиите. Пробвах да стартирам daemon-а със softlimit
> на DJB но пак не е решение ограниченията са за max memory per process а не
> за total memory която може да се използва от parent процеса. В общи линии
> една fork() и malloc() бомба могат да забият сървъра. Във freebsd например
> този проблем е решен елегантно в /etc/login.conf се задава ограничение
> vmemoryuse на daemon login class-a и това важи за всичко което се стартира
> от rc. Пак за пример ако със софтлимит зададеме лимит от 150 процеса с
> максимум 10MB памет и стартираме така apache (нормален лимит за аpache с
> mod_perl & mod_php) лесно може да се напише нещо като това което може да се
> изпълни през web и да забие сървъра:
>
> while (1)
> {
> fork();
> malloc(512);
> }
>
> Ако може някой да сподели опит ще съм му благодарен. 10x
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.12
http://www.dfdtech.net/linux/security/userlimits/
===
Resource Limits
Linux enforces various kinds of resource limits that might interfere with the
operation of your PostgreSQL server. Of importance are especially the limits on
the number of processes per user, the number of open files per process, and the
amount of memory available to a process. Each of these have a "hard" and a
"soft" limit. The soft limit is what actually counts but it can be changed by
the user up to the hard limit. The hard limit can only be changed by the root
user. The system call setrlimit is responsible for setting these parameters.
The shell's built-in command ulimit (Bourne shells) or limit (csh) is used to
control the resource limits from the command line.
===
===
There are some limitations with the current implementation of user resource
limits. The largest is that you can only apply resource limits per session.
There is no way at the moment to place a quota on the number of resources a
certain user may use globally on the system.
At the moment, there is also no way to limit what is called from crontab
(and possibly the same problem exists for at as well). Crontab enables a
user to launch a program at a specific time. There is no way to apply
resource limits to these launched programs in crontab's present form.
CGI scripts also pose a problem. I mentioned before that even if you
disallow shell access but still allow users to run CGI scripts, there
is the same risk involved that a user could use too many system resources.
The best way to limit this is to run all cgi scripts through a program called
cgiwrap (http://cgiwrap.unixtools.org/). You should specifically compile
cgiwrap with the --with-rlimit- settings to impose resource limits on all
CGI scripts. There does not appear to be a way to impose different limits
on different user's CGI scripts, however. The configuration of cgiwrap
is beyond the scope of this document, but it is highly recommended that
you look into using it.
===
--
Georgi Chorbadzhiyski
http://georgi.unixsol.org/
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
