> I am working on some resource limit stuff and would like to be
> able to use login.conf to restrict the number of cgi processes that
> certain users can run. Unfortunately, the proprietary cgi product we use
> is owned by root and suid's to the user who owns the script that it is
> called to run. (This is not what I would call a "good idea," but it's what
> I have to work with.)
>
> I've created a login class with the appropriate permissions, and
> if I put a test user in that class and test its limits with normal system
> processes (like ls, sleep, etc.) it follows all the rules. However when I
> start miva (proprietary cgi) processes for scripts owned by that user, it
> ignores the limits, presumably because the process starts its life as
> root.
>
> Soooo, the question is, how can I do what I want to do, and if I
> can't do it with login.conf does anyone have any other suggestions?
> Specifically I need to restrict the amount of ram and the number of
> processes on a per user basis. I'm working on a -current system, but I
> don't think this issue bears directly on -current.
You need to pester the vendor to correctly switch limits when they
switch UIDs.
Alternatively, if this is unlikely _and_ the application is dynamically
linked, you could produce a library containing patched set*id functions
and force it into the app using LD_PRELOAD.
--
\\ The mind's the standard \\ Mike Smith
\\ of the man. \\ msmith@freebsd.org
\\ -- Joseph Merrick \\ msmith@cdrom.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message