Georgi Chorbadzhiyski wrote:
Мразя да си отговарям сам, но забравих един важен линк.bugtraq wrote:Искам да попитам ви попитам за начин да наложа total memory limit на даден процес (в случая daemon) под Linux. limits.conf и ulimit не вършат работа защотото се ограниченията влизат в действие след като user-а се логне но не и когато се пусне като root и си дропне привилегиите. Пробвах да стартирам daemon-а със softlimit на DJB но пак не е решение ограниченията са за max memory per process а не за total memory която може да се използва от parent процеса. В общи линии една fork() и malloc() бомба могат да забият сървъра. Във freebsd например този проблем е решен елегантно в /etc/login.conf се задава ограничение vmemoryuse на daemon login class-a и това важи за всичко което се стартира от rc. Пак за пример ако със софтлимит зададеме лимит от 150 процеса с максимум 10MB памет и стартираме така apache (нормален лимит за аpache с mod_perl & mod_php) лесно може да се напише нещо като това което може да се изпълни през web и да забие сървъра: while (1) { fork(); malloc(512); } Ако може някой да сподели опит ще съм му благодарен. 10xhttp://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.12 http://www.dfdtech.net/linux/security/userlimits/ === Resource Limits Linux enforces various kinds of resource limits that might interfere with the operation of your PostgreSQL server. Of importance are especially the limits on the number of processes per user, the number of open files per process, and the amount of memory available to a process. Each of these have a "hard" and a "soft" limit. The soft limit is what actually counts but it can be changed by the user up to the hard limit. The hard limit can only be changed by the root user. The system call setrlimit is responsible for setting these parameters. The shell's built-in command ulimit (Bourne shells) or limit (csh) is used to control the resource limits from the command line. === === There are some limitations with the current implementation of user resource limits. The largest is that you can only apply resource limits per session. There is no way at the moment to place a quota on the number of resources a certain user may use globally on the system. At the moment, there is also no way to limit what is called from crontab (and possibly the same problem exists for at as well). Crontab enables a user to launch a program at a specific time. There is no way to apply resource limits to these launched programs in crontab's present form. CGI scripts also pose a problem. I mentioned before that even if you disallow shell access but still allow users to run CGI scripts, there is the same risk involved that a user could use too many system resources. The best way to limit this is to run all cgi scripts through a program called cgiwrap (http://cgiwrap.unixtools.org/). You should specifically compile cgiwrap with the --with-rlimit- settings to impose resource limits on all CGI scripts. There does not appear to be a way to impose different limits on different user's CGI scripts, however. The configuration of cgiwrap is beyond the scope of this document, but it is highly recommended that you look into using it. ===
http://www.tldp.org/HOWTO/mini/Process-Accounting/
Оставил съм целия цитат за по-лесно търсене в архива.
--
Georgi Chorbadzhiyski
http://georgi.unixsol.org/
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================