RLIMIT_FORK -- second try :)

Matthew Dillon dillon at apollo.backplane.com
Sun Sep 12 16:57:37 PDT 2004


    Hmm.  Well, it's an interesting issue.  The existing process resources
    are definitely not sufficient, but I'm not sure that a fork depth
    limit is the right solution either, because it could also seriously
    interfere with threaded programs and it requires the system operator
    to make assumptions about how and why a program might fork which would
    not necessarily hold as time progresses.

    I think what we need is more of a jail-like feature where the number
    of processes can be limited inside the jail.  I hesitate to use the
    term 'jail' because the current jails are not really what we want... we
    want some sort of security infrastructure that processes can be grouped
    within, which would exist for all processes in the system, and then
    implement the limits within that infrastructure.

					-Matt
					Matthew Dillon 
					<dillon at xxxxxxxxxxxxx>

:Hi
:
:Some time ago I sent a patch to implement RLIMIT_FORK, a new resource
:limit that allows for control of the process tree depth.
:
:At that time, Hiten told me on IRC that he would put it on his TODO list
:for review when he had some free time, but I'm afraid free time isn't
:something he'll have when he returns, and that his list might turn into a
:circular queue :)
:
:Anyway, I rewrote that patches so that they can be applied on a current
:system. If someone could give them a try...
:
:The main motivation for it is to allow an admin to limit, say, the process
:tree depth of apache, and thus disallowing "bad customers" to fork (or at
:least to fork indefinetely).
:
:So, one could add to /etc/rc.conf:
:
:apache2_enable="YES"
:apache2limits_enable="YES"
:apache2limits_args="-e -C daemon -r 4"
:
:and a customer would be allowed to run a cgi script, but a fork in it
:would fail (the ``-r'' flag is the one which controls the depth limit):
:
:[Sun Sep 12 19:08:45 2004] [error] [client 127.0.0.1] fork error:
:Operation not permitted at /usr/local/www/cgi-bin/test.pl line 7.
:
:The patch also changes sh and tcsh, so that the ``ulimit'' and ``limit''
:built-ins know about RLIMIT_FORK:
:
:$ ulimit -r 0
:$ ls
:Cannot fork: Operation not permitted
:
:> limit forkdepth 0
:> ls
:No more processes.
:
:The patches can be found at
:
:  http://andre.people.digirati.com.br/dragonfly/patches/forkdepth/
:
:Best regards,
:Andre





More information about the Submit mailing list