On Thu, 5 Aug 1999, Mike Smith wrote: > > I am working on some resource limit stuff and would like to be > > able to use login.conf to restrict the number of cgi processes that > > certain users can run. Unfortunately, the proprietary cgi product we use > > is owned by root and suid's to the user who owns the script that it is > > called to run. (This is not what I would call a "good idea," but it's what > > I have to work with.) > > > > I've created a login class with the appropriate permissions, and > > if I put a test user in that class and test its limits with normal system > > processes (like ls, sleep, etc.) it follows all the rules. However when I > > start miva (proprietary cgi) processes for scripts owned by that user, it > > ignores the limits, presumably because the process starts its life as > > root. > > > > Soooo, the question is, how can I do what I want to do, and if I > > can't do it with login.conf does anyone have any other suggestions? > > Specifically I need to restrict the amount of ram and the number of > > processes on a per user basis. I'm working on a -current system, but I > > don't think this issue bears directly on -current. > > You need to pester the vendor to correctly switch limits when they > switch UIDs. > > Alternatively, if this is unlikely _and_ the application is dynamically > linked, you could produce a library containing patched set*id functions > and force it into the app using LD_PRELOAD. Grrrfl. Ok, that's what I thought, but I do appreciate the confirmation. We have a pretty good relationship with the vendor so I'll take that route first. Thanks, Doug -- On account of being a democracy and run by the people, we are the only nation in the world that has to keep a government four years, no matter what it does. -- Will Rogers To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message