ulimits tuning

[MikeyG]

Hi,
Can anyone tell me how the ulimits specified in the default login.conf 
are derrived? Is it worth changing them if I have one or two+ gigs of ram?


I'd also like to force users to play nicer with each other in terms of 
resources. Some are running things which spawn dozens of hungry 
processes. However, it looks like most of these limits are on a per 
process rather than per user basis (AFAICT; the man pages don't say a 
lot) and don't cause graceful degredation when they're reached. I'm 
guessing these are really just a safety net to catch run-away processes.

Is there any better way to do this sort of thing?

Thanks
MikeG

Re: users filling partitions crashing system

[MikeyG]

Nick Holland wrote:



I question your diagnosis.
I just deliberately filled my /tmp partition.  System is still running 
fine (which actually is a pleasant surprise, as this machine has been 
horribly unstable the last few days.  Maybe I should have filled the 
/tmp partition long ago! :).


If you can crash your system by filling the /tmp partition, I think 
that would be better described as a bug that needs fixing rather than 
trying to work around it.


How about defining what you mean by crash, what message you are 
getting, etc.


Thanks Nick, I agree my diagnosis is very questionable. I just tried 
filling /tmp and the system and it's running fine. And I've seen other 
partitions fill up with no problems before.
I've put in place scripts to log as much info as possible and see what 
happens.  If it hasn't recurred by tonight I'll attempt to reproduce the 
same conditions.


Apologies, should have posted this info before. I see my session go link 
dead, the machine responds to pings for 30s or so but nothing else and 
then goes completely dead and reboots. /var/log/messages contains the 
following, other logs either contain the same info or nothing at all.


Is there any way to direct cores to be saved somewhere else?

Thanks all

Feb  6 10:00:01 boxname syslogd: restart
Feb  6 10:36:35 boxname syslogd: restart
Feb  6 10:36:35 boxname /bsd: OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 
00:01:57 MST 2005
Feb  6 10:36:35 boxname /bsd: 
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
Feb  6 10:36:35 boxname /bsd: cpu0: AMD-K6(tm) 3D processor 
(AuthenticAMD 586-class) 500 MHz

Feb  6 10:36:35 boxname /bsd: cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX
Feb  6 10:36:35 boxname /bsd: real mem  = 198746112 (194088K)
Feb  6 10:36:35 boxname /bsd: avail mem = 174600192 (170508K)
Feb  6 10:36:35 boxname /bsd: using 2451 buffers containing 10039296 
bytes (9804K) of memory

Feb  6 10:36:35 boxname /bsd: mainbus0 (root)
Feb  6 10:36:35 boxname /bsd: bios0 at mainbus0: AT/286+(00) BIOS, date 
10/15/98, BIOS32 rev. 0 @ 0xfdb60

Feb  6 10:36:35 boxname /bsd: apm at bios0 function 0x15 not configured
Feb  6 10:36:35 boxname /bsd: pcibios0 at bios0: rev 2.1 @ 0xf/0x1
Feb  6 10:36:35 boxname /bsd: pcibios0: PCI IRQ Routing Table rev 1.0 @ 
0xf71b0/112 (5 entries)
Feb  6 10:36:35 boxname /bsd: pcibios0: PCI Interrupt Router at 000:01:0 
(SIS 85C503 System rev 0x00)

Feb  6 10:36:35 boxname /bsd: pcibios0: PCI bus #1 is the last bus
Feb  6 10:36:35 boxname /bsd: bios0: ROM list: 0xc/0x8000
Feb  6 10:36:35 boxname /bsd: cpu0 at mainbus0
Feb  6 10:36:35 boxname /bsd: pci0 at mainbus0 bus 0: configuration mode 
1 (no bios)
Feb  6 10:36:35 boxname /bsd: pchb0 at pci0 dev 0 function 0 SIS 530 
PCI rev 0x03
Feb  6 10:36:35 boxname /bsd: pciide0 at pci0 dev 0 function 1 SIS 5513 
EIDE rev 0xd0: 530: DMA, channel 0 configured to compatibility, channel 
1 configured to compatibility
Feb  6 10:36:36 boxname /bsd: wd0 at pciide0 channel 0 drive 0: Maxtor 
6Y080L0
Feb  6 10:36:36 boxname /bsd: wd0: 16-sector PIO, LBA, 78167MB, 
160086528 sectors
Feb  6 10:36:36 boxname /bsd: wd0(pciide0:0:0): using PIO mode 4, 
Ultra-DMA mode 2

Feb  6 10:36:36 boxname /bsd: wd1 at pciide0 channel 1 drive 0: ST3120022A
Feb  6 10:36:36 boxname /bsd: wd1: 16-sector PIO, LBA48, 114473MB, 
234441648 sectors
Feb  6 10:36:36 boxname /bsd: wd1(pciide0:1:0): using PIO mode 4, 
Ultra-DMA mode 4
Feb  6 10:36:36 boxname /bsd: pcib0 at pci0 dev 1 function 0 SIS 85C503 
System rev 0xb1
Feb  6 10:36:36 boxname /bsd: SIS 5595 System rev 0x00 at pci0 dev 1 
function 1 not configured
Feb  6 10:36:36 boxname /bsd: ohci0 at pci0 dev 1 function 2 SIS 
5597/5598 USB rev 0x11: irq 11, version 1.0, legacy support

Feb  6 10:36:36 boxname /bsd: ohci0: SMM does not respond, resetting
Feb  6 10:36:36 boxname /bsd: usb0 at ohci0: USB revision 1.0
Feb  6 10:36:36 boxname /bsd: uhub0 at usb0
Feb  6 10:36:36 boxname /bsd: uhub0: SIS OHCI root hub, class 9/0, rev 
1.00/1.00, addr 1

Feb  6 10:36:36 boxname /bsd: uhub0: 2 ports with 2 removable, self powered
Feb  6 10:36:36 boxname /bsd: ppb0 at pci0 dev 2 function 0 SIS 86C201 
AGP rev 0x00

Feb  6 10:36:36 boxname /bsd: pci1 at ppb0 bus 1
Feb  6 10:36:36 boxname /bsd: vga1 at pci1 dev 0 function 0 SIS 530 
VGA rev 0xa3: aperture at 0xef00, size 0x40
Feb  6 10:36:36 boxname /bsd: wsdisplay0 at vga1: console (80x25, vt100 
emulation)
Feb  6 10:36:36 boxname /bsd: wsdisplay0: screen 1-5 added (80x25, vt100 
emulation)
Feb  6 10:36:36 boxname /bsd: rl0 at pci0 dev 10 function 0 Realtek 
8139 rev 0x10: irq 10 address 00:00:21:12:3b:72

Feb  6 10:36:36 boxname /bsd: rlphy0 at rl0 phy 0: RTL internal phy
Feb  6 10:36:36 boxname /bsd: isa0 at pcib0
Feb  6 10:36:36 boxname /bsd: isadma0 at isa0
Feb  6 10:36:36 boxname /bsd: pckbc0 at isa0 port 0x60/5
Feb  6 10:36:36 boxname /bsd: pckbd0 at pckbc0 (kbd slot)
Feb  6 10:36:36 boxname /bsd: pckbc0: using irq 1 for kbd slot
Feb  6 10:36:36 boxname /bsd: wskbd0 at 

users filling partitions crashing system

[MikeyG]

Hi,
I'm seeing a recurring problem whereby a users process is causing the 
system to crash by (I believe) filling up the /tmp partition. Twice this 
week this has happened shortly after I have renice-d a resource hungry 
bittorrent download I've seen a user running.


I have sensible user block quotas set on the /home partition and 
everywhere else besides /tmp that the users could be putting data, and 
there is of course the 5% of space reserved on all partitions. 
Everything divided into separate partitions as recommended. /tmp is 
virtually unused most of the time so I can't figure out what might be 
happening.


When the system comes back up everything appears to be fine, /tmp having 
been emptied by rc.  There seems to be nothing logged to tell me what 
might have happened so I'm just left scratching my head.


Does anyone have any ideas, or suggest ways of getting more diagnostic 
information?


Thanks
Mike

$ uname -a
OpenBSD xxx.xxx.xxx 3.7 GENERIC#50 i386

$ df -h
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/wd0a  251M   82.3M156M35%/
/dev/wd0h 36.5G   13.7G   20.9G40%/home
/dev/wd0i 36.5G   25.0G9.6G72%/home2
/dev/wd0d  251M   26.0K238M 0%/tmp
/dev/wd0e 1006M356M600M37%/usr
/dev/wd0f  251M   86.7M152M36%/var

$ mount
/dev/wd0a on / type ffs (local, softdep)
/dev/wd0h on /home type ffs (local, nodev, nosuid, with quotas, softdep)
/dev/wd0i on /home2 type ffs (local, nodev, with quotas, softdep)
/dev/wd0d on /tmp type ffs (local, nodev, noexec, nosuid, softdep)
/dev/wd0e on /usr type ffs (local, nodev, softdep)
/dev/wd0f on /var type ffs (local, nodev, nosuid, softdep)

Re: update /etc/changelist as part of package install?

[MikeyG]

Ingo Schwarze wrote:


By the way, in case you are looking for serious intrusion
detection, you should not rely on /etc/security anyway, but
install (and maintain!) some real intrusion detection system.

Yours,
 Ingo
 

Agreed.  Even storing hashes off site it wouldn't be difficult to get 
around this system. But I do find it extremely useful for keeping track 
of system changes.


What real IDS would people here recommend?

Mike

update /etc/changelist as part of package install?

[MikeyG]

Hi,
Just a thought. For packages with sensitive system configs wouldn't it 
be useful if the install automatically patched /etc/changelist.  Also it 
might help if they modified /etc/mtree/special too, although this is 
probably more difficult to get right.


Or is there a good reason why this isn't done?

Mike