RLIMIT_FORK -- second try :)

Andre Nathan andre at digirati.com.br
Sun Sep 12 16:34:20 PDT 2004


Hi

Some time ago I sent a patch to implement RLIMIT_FORK, a new resource
limit that allows for control of the process tree depth.

At that time, Hiten told me on IRC that he would put it on his TODO list
for review when he had some free time, but I'm afraid free time isn't
something he'll have when he returns, and that his list might turn into a
circular queue :)

Anyway, I rewrote that patches so that they can be applied on a current
system. If someone could give them a try...

The main motivation for it is to allow an admin to limit, say, the process
tree depth of apache, and thus disallowing "bad customers" to fork (or at
least to fork indefinetely).

So, one could add to /etc/rc.conf:

apache2_enable="YES"
apache2limits_enable="YES"
apache2limits_args="-e -C daemon -r 4"

and a customer would be allowed to run a cgi script, but a fork in it
would fail (the ``-r'' flag is the one which controls the depth limit):

[Sun Sep 12 19:08:45 2004] [error] [client 127.0.0.1] fork error:
Operation not permitted at /usr/local/www/cgi-bin/test.pl line 7.

The patch also changes sh and tcsh, so that the ``ulimit'' and ``limit''
built-ins know about RLIMIT_FORK:

$ ulimit -r 0
$ ls
Cannot fork: Operation not permitted

> limit forkdepth 0
> ls
No more processes.

The patches can be found at

  http://andre.people.digirati.com.br/dragonfly/patches/forkdepth/

Best regards,
Andre





More information about the Submit mailing list