RLIMIT_FORK -- second try :)
Matthew Dillon
dillon at apollo.backplane.com
Sun Sep 12 16:57:37 PDT 2004
Hmm. Well, it's an interesting issue. The existing process resources
are definitely not sufficient, but I'm not sure that a fork depth
limit is the right solution either, because it could also seriously
interfere with threaded programs and it requires the system operator
to make assumptions about how and why a program might fork which would
not necessarily hold as time progresses.
I think what we need is more of a jail-like feature where the number
of processes can be limited inside the jail. I hesitate to use the
term 'jail' because the current jails are not really what we want... we
want some sort of security infrastructure that processes can be grouped
within, which would exist for all processes in the system, and then
implement the limits within that infrastructure.
-Matt
Matthew Dillon
<dillon at xxxxxxxxxxxxx>
:Hi
:
:Some time ago I sent a patch to implement RLIMIT_FORK, a new resource
:limit that allows for control of the process tree depth.
:
:At that time, Hiten told me on IRC that he would put it on his TODO list
:for review when he had some free time, but I'm afraid free time isn't
:something he'll have when he returns, and that his list might turn into a
:circular queue :)
:
:Anyway, I rewrote that patches so that they can be applied on a current
:system. If someone could give them a try...
:
:The main motivation for it is to allow an admin to limit, say, the process
:tree depth of apache, and thus disallowing "bad customers" to fork (or at
:least to fork indefinetely).
:
:So, one could add to /etc/rc.conf:
:
:apache2_enable="YES"
:apache2limits_enable="YES"
:apache2limits_args="-e -C daemon -r 4"
:
:and a customer would be allowed to run a cgi script, but a fork in it
:would fail (the ``-r'' flag is the one which controls the depth limit):
:
:[Sun Sep 12 19:08:45 2004] [error] [client 127.0.0.1] fork error:
:Operation not permitted at /usr/local/www/cgi-bin/test.pl line 7.
:
:The patch also changes sh and tcsh, so that the ``ulimit'' and ``limit''
:built-ins know about RLIMIT_FORK:
:
:$ ulimit -r 0
:$ ls
:Cannot fork: Operation not permitted
:
:> limit forkdepth 0
:> ls
:No more processes.
:
:The patches can be found at
:
: http://andre.people.digirati.com.br/dragonfly/patches/forkdepth/
:
:Best regards,
:Andre
More information about the Submit
mailing list