Re: resource limits

2000-11-03 Thread Michael Bacarella 

On Fri, Nov 03, 2000 at 05:56:09PM +0800, Mailing List wrote:

 By putting it in the /etc/init.d/apache script, it would limit the apache
 server as well (www-data) user, and thats bad. We ONLY want to limit the
 user's cgi processes. We haven't founded any script that suexec uses to run
 user cgis, so we can't limit it that way.

If you run CGIs for each host under suEXEC, you can run them as another
user and thusly limit them. Under Linux, resource restrictions other
than disk quotas have to be done by a parent process (such as login)
for all of it's children to run with those restrictions.

If you asked me, I'd hack suexec to use setrlimit(2).

 - Original Message -
 From: "Kasatenko Ivan Alex." [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Friday, November 03, 2000 4:56 PM
 Subject: Re: resource limits
 
 
 Hello Jeremy,
 
 Friday, November 03, 2000, 3:09:35 AM, you wrote:
 
 JCR What is an easy way to find out how much of certain resources I am
 using?
 
 JCR In particular, how can I easily find out the following in use by the
 shell
 JCR and the processes started by it?
 
 JCR - the total size of all process's data segments
 JCR - total resident memory size
 JCR - the number of file descriptors I have in use (open files)
 JCR - the total stack size I have in use
 JCR - total CPU time in seconds
 JCR - total number of processes (per this session)
 JCR - total amount of virtual memory used by the shell
 
 JCR Does the "maximum resident set size" limit for all processes or just
 one
 JCR process? If for all, then how can I easily find out?
 
 JCR What does "pipe size" mean? How can I know how much I am using?
 
 JCR How do sh/bash ulimits or csh limits correlate with
 JCR /etc/security/limits.conf, /etc/limits, /etc/login.defs (ULIMIT) or
 JCR BSD-type login.conf session resource limits settings?
 
 JCR Does anyone have any answers to any of these questions?
 
 JCR Thanks
 
 JCR   Jeremy C. Reed
 JCR   http://www.reedmedia.net/
 JCR   http://bsd.reedmedia.net/
 
 
 JCR --
 JCR To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 JCR with a subject of "unsubscribe". Trouble? Contact
 [EMAIL PROTECTED]
 
 Try the following kernel patch:
 http://www.asp-linux.com/
 It helped me in such a situation.
 
 --
 Regards,
  Ivanmailto:[EMAIL PROTECTED]
 
 
 
 --
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of "unsubscribe". Trouble? Contact
 [EMAIL PROTECTED]
 
 
 
 
 --  
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
 

-- 
Michael Bacarella [EMAIL PROTECTED]  ;finger address for public key
GPG Key Fingerprint: B4E4 82F5 BCAC AB83 E6F7  B5AA 933E 2A75 79A4 A9C1


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: information question

2000-09-05 Thread Michael Bacarella 
 sites of users that I have on the machine (i.e- ~debian-isp). I was
 wondering how they are finding out which users that I have on the machine
 and was wondering if I could be running services that pose a security
 problem. I only have the following open:
 
 PortState   Protocol  Service
 21  opentcpftp
 22  opentcpssh
 25  opentcpsmtp
 80  opentcphttp
 113 opentcpauth
 443 opentcphttps
 515 opentcpprinter
 3306opentcpmysql
 6000opentcpX11
 
 I had a question as to the function of 'auth'.
 I am not quite sure what this does. If someone could give me a heads up.
 Any advice appriciated.

Auth servers are used to determine the owner of a specific
connection, more commonly known as identity servers, and essentially 
useless. Some IRC servers use them to make sure you're not IRC'ing as
root.

Some network scanners use ident to determine what services are running as
root, to aid them in a system compromise.

If you need to run identity/auth services at all, use one that can be
configured to return useless information like (*shameless plug*) ident2 at
http://netgraft.com/

You can probably safely disable it, though.

-MB