Re: login.conf & FreeBSD 4.4

From: D J Hawkey Jr (hawkeyd@visi.com)
Date: 10/02/01 

Date: Tue, 2 Oct 2001 04:39:27 -0500
From: D J Hawkey Jr <hawkeyd@visi.com>
To: Christian Kratzer <ck@cksoft.de>, freebsd-security@freebsd.org

On Oct 02, at 09:33 AM, Christian Kratzer wrote:
>
> Hi,
>
> On Tue, 2 Oct 2001, D J Hawkey Jr wrote:
>
> > In article <Pine.LNX.4.33.0110020953290.6866-100000_localhost.cksoft.de@ns.sol.net>,
> > ck@cksoft.de writes:
> > >
> > > If you are talking about cgi scripts run by apache you might want to
> > > patch suexec to do this. There is nothgin in apache that would normally
> > > set the requested privilidges.
> > >
> > > we added following to apache-x-x-x/src/support/suexec.c to actually
> > > enforce setting of resource limits. There is nothing in apache that would
> > > normally set these up for you.
> > >
> > > [SNIP]
> >
> > Reading between the lines, are you saying that any app "not from FreeBSD"
> > running on FreeBSD isn't likely to be accounted for because they pro'lly
> > don't set up limiting resources (by way of the C function you hacked in)?
> >
> > Badly phrased, I know, but you get my drift?
>
> it's not as bad as you may think.
>
> Any user logging in through the "usual" channels like sshd,telnetd,console,etc...
> should get the limits automatically setup for them.

Running X apps remotely falls into the above group, I assume?

> We only need to patch applications like apache which start child processes
> and use seteuid() to change their effective uid etc... and are not aware of
> the freebsd specific possibilities.

This make sense [to me], but Peter seems to disagree. Can either of you
address the other's position?

> Greetings
> Christian

Thanks,
Dave 

-- 
  ______________________                         ______________________
  \__________________   \    D. J. HAWKEY JR.   /   __________________/
     \________________/\     hawkeyd@visi.com    /\________________/
                      http://www.visi.com/~hawkeyd/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: login.conf & FreeBSD 4.4
    ... There is nothgin in apache that would normally ... are you saying that any app "not from FreeBSD" ... should get the limits automatically setup for them. ... We only need to patch applications like apache which start child processes ...
    (FreeBSD-Security)
  • Re: how to install samba and windows xp ?
    ... the question and the freebsd mails. ... >licence so I got rid of windows server and Installed ... >I installed the default package of apache, ... >and also i cant share my internet conection. ...
    (freebsd-newbies)
  • Re: mod_auth_kerb2 broken in 8-STABLE? Or is it heimdal to blame?
    ... After the installation ), the server refused to start giving the error: ... What is stated, is that heimdal-1.1 was broken in FreeBSD, and that it should be fixed at some moment in the future. ... ap22-mod_auth_kerb-5.4_3 An Apache module for authenticating users with Kerberos v5 ...
    (freebsd-stable)
  • Re: (Another) simple benchmark
    ... In absence of anything smarter to do, I installed WBEL 3 Linux ... Apache is a well known server-grade product, ... It shouldn't behave this badly on FreeBSD. ... FreeBSD CPU time was 100% spent, with 90%-95% spent in sys time ...
    (freebsd-current)
  • Re: (Another) simple benchmark
    ... In absence of anything smarter to do, I installed WBEL 3 Linux ... Apache is a well known server-grade product, ... It shouldn't behave this badly on FreeBSD. ... FreeBSD CPU time was 100% spent, with 90%-95% spent in sys time ...
    (freebsd-performance)