RLIMIT_FORK -- second try :)
Andre Nathan
andre at digirati.com.br
Sun Sep 12 16:34:20 PDT 2004
Hi
Some time ago I sent a patch to implement RLIMIT_FORK, a new resource
limit that allows for control of the process tree depth.
At that time, Hiten told me on IRC that he would put it on his TODO list
for review when he had some free time, but I'm afraid free time isn't
something he'll have when he returns, and that his list might turn into a
circular queue :)
Anyway, I rewrote that patches so that they can be applied on a current
system. If someone could give them a try...
The main motivation for it is to allow an admin to limit, say, the process
tree depth of apache, and thus disallowing "bad customers" to fork (or at
least to fork indefinetely).
So, one could add to /etc/rc.conf:
apache2_enable="YES"
apache2limits_enable="YES"
apache2limits_args="-e -C daemon -r 4"
and a customer would be allowed to run a cgi script, but a fork in it
would fail (the ``-r'' flag is the one which controls the depth limit):
[Sun Sep 12 19:08:45 2004] [error] [client 127.0.0.1] fork error:
Operation not permitted at /usr/local/www/cgi-bin/test.pl line 7.
The patch also changes sh and tcsh, so that the ``ulimit'' and ``limit''
built-ins know about RLIMIT_FORK:
$ ulimit -r 0
$ ls
Cannot fork: Operation not permitted
> limit forkdepth 0
> ls
No more processes.
The patches can be found at
http://andre.people.digirati.com.br/dragonfly/patches/forkdepth/
Best regards,
Andre
More information about the Submit
mailing list