Re: [expert] backround processes
AFAIK you can't restrict the running of background processes and if you could it would create more problems with legitimate processes than it would solve. Probably the best you can do is display a login message to users informing them that the use of eggdrops etc. are prohibited with penalties associated. Unusual happenings can be then monitored using the system logs and filesystem. Unfortunately no tool ever created can replace the vigilance of a sysadmin. - Original Message - From: Janar Kokk [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 12, 2000 10:36 AM Subject: Re: [expert] backround processes I think you didn't understood my question. I want to not allow my machine's users to run any backround processes such as eggdrop etc Regards, Janar Kokk [EMAIL PROTECTED]
Re: [expert] backround processes
On Tue, 11 Jul 2000, Civileme wrote: Date: Tue, 11 Jul 2000 19:34:12 -0800 From: Civileme [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [expert] backround processes Deryk Barker wrote: Thus spake Janar Kokk ([EMAIL PROTECTED]): I think you didn't understood my question. I want to not allow my machine's users to run any backround processes such as eggdrop etc You can use ulimit to limit the number of processes, but don't set it to 1 or they won't be able to run *anything* - bash (and other shells) fork a new process for each command. And, to worsen matters, how would they run some of the ordinary programs that use background processes? I think it might be a bit to embedded to exclude. OTOH, if you have a list of what you do not want users to run... Easily done with permissions. If I remember correctly, ulimit has a rather poor manpage. It can control mem usage/processes, but is enforced by your shell(bash). I was trying to use it to control runaway processes such as Netscape, and nasty cookbook lockups such as a fork bomb or malloc bomb. I think that if a program tries to fork bomb in a clever way, or a malloc bomb, it may be able to act faster than the shell can stop it. And with ulimit, what about netscape? It runs as a child of a library process and each netscape window Errrk. Guess you wouldn't have asked if it was easy to figure out :-}. Civileme -- Regards, Ellick Chan [EMAIL PROTECTED] Jul 11
Re: [expert] backround processes
Thus spake Ellick Chan ([EMAIL PROTECTED]): [...] If I remember correctly, ulimit has a rather poor manpage. I'll say. Basically it says see bash. It can control mem usage/processes, but is enforced by your shell(bash). I was trying to use it to control runaway processes such as Netscape, and nasty cookbook lockups such as a fork bomb or malloc bomb. I think that if a program tries to fork bomb in a clever way, or a malloc bomb, it may be able to act faster than the shell can stop it. I had to use this recently because we had students writing forking lab assignments which ran away. ulimit did actually control this. -- |Deryk Barker, Computer Science Dept. | Music does not have to be understood| |Camosun College, Victoria, BC, Canada| It has to be listened to. | |email: [EMAIL PROTECTED] | | |phone: +1 250 370 4452 | Hermann Scherchen. |
Re: [expert] backround processes
Deryk Barker wrote: Thus spake Ellick Chan ([EMAIL PROTECTED]): [...] If I remember correctly, ulimit has a rather poor manpage. I'll say. Basically it says see bash. Which limits its utility a bit. I, for one, get: ulimit ulimit: Command not found. Why? Becuase I use tcsh . . . Besides the whole ulimit thing, as noted elsewhere--indeed the idea of banning all background process--makes an awful lot of Unix rather useless. Unix is designed for forking process, and this happens in lots of places where you might not expect it. Perhaps the original poster could clarify just why he wants to do this? If it's really only specific applications you want to limit, then either delete them from the system or deny execute permissions to world, and add the "blessed users" to whatever group you assign to those files. If you truly want to ban "" then the only way to do that is to get the source to bash (or whatever shell you choose) and delete the code that handles the "" character. This will still break programs written in shell script that use , but most programs will be ok because they will call fork() explicitly. Then you'd have to remove (or deny permissions to) all other editors on your system. You'd also have to remove the c compiler (and probably perl and other languages as well) since they could still write a fork() function themselves. And prevent access to the internet, for with such access they could download working versions of all the stuff you were busy trying to break . . . And all this just to remove functionality that's fundamental to Unix. Ah dunno. Seems odd to me . . . It can control mem usage/processes, but is enforced by your shell(bash). I was trying to use it to control runaway processes such as Netscape, and nasty cookbook lockups such as a fork bomb or malloc bomb. I think that if a program tries to fork bomb in a clever way, or a malloc bomb, it may be able to act faster than the shell can stop it. I had to use this recently because we had students writing forking lab assignments which ran away. ulimit did actually control this. -- |Deryk Barker, Computer Science Dept. | Music does not have to be understood| |Camosun College, Victoria, BC, Canada| It has to be listened to. | |email: [EMAIL PROTECTED] | | |phone: +1 250 370 4452 | Hermann Scherchen. | -- "Brian, the man from babble-on" [EMAIL PROTECTED] Brian T. Schellenberger http://www.babbleon.org Support http://www.eff.org. Support decss defendents. Support http://www.programming-freedom.org. Boycott amazon.com.
RE: [expert] backround processes
Have you thought about just turfing those users who won't play by the rules? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian T. Schellenberger Sent: July 12, 2000 8:38 PM To: [EMAIL PROTECTED] Subject: Re: [expert] backround processes Deryk Barker wrote: Thus spake Ellick Chan ([EMAIL PROTECTED]): [...] If I remember correctly, ulimit has a rather poor manpage. I'll say. Basically it says see bash. Which limits its utility a bit. I, for one, get: ulimit ulimit: Command not found. Why? Becuase I use tcsh . . . Besides the whole ulimit thing, as noted elsewhere--indeed the idea of banning all background process--makes an awful lot of Unix rather useless. Unix is designed for forking process, and this happens in lots of places where you might not expect it. Perhaps the original poster could clarify just why he wants to do this? If it's really only specific applications you want to limit, then either delete them from the system or deny execute permissions to world, and add the "blessed users" to whatever group you assign to those files. If you truly want to ban "" then the only way to do that is to get the source to bash (or whatever shell you choose) and delete the code that handles the "" character. This will still break programs written in shell script that use , but most programs will be ok because they will call fork() explicitly. Then you'd have to remove (or deny permissions to) all other editors on your system. You'd also have to remove the c compiler (and probably perl and other languages as well) since they could still write a fork() function themselves. And prevent access to the internet, for with such access they could download working versions of all the stuff you were busy trying to break . . . And all this just to remove functionality that's fundamental to Unix. Ah dunno. Seems odd to me . . . It can control mem usage/processes, but is enforced by your shell(bash). I was trying to use it to control runaway processes such as Netscape, and nasty cookbook lockups such as a fork bomb or malloc bomb. I think that if a program tries to fork bomb in a clever way, or a malloc bomb, it may be able to act faster than the shell can stop it. I had to use this recently because we had students writing forking lab assignments which ran away. ulimit did actually control this. -- |Deryk Barker, Computer Science Dept. | Music does not have to be understood| |Camosun College, Victoria, BC, Canada| It has to be listened to. | |email: [EMAIL PROTECTED] | | |phone: +1 250 370 4452 | Hermann Scherchen. | -- "Brian, the man from babble-on" [EMAIL PROTECTED] Brian T. Schellenberger http://www.babbleon.org Support http://www.eff.org. Support decss defendents. Support http://www.programming-freedom.org. Boycott amazon.com.
[expert] backround processes
Hello, How can i make so, that my users cant run any backround processes? Regards, Janar Kokk [EMAIL PROTECTED]
Re: [expert] backround processes
Use the after the program name: ie gftp , netscape
Re: [expert] backround processes
I think you didn't understood my question. I want to not allow my machine's users to run any backround processes such as eggdrop etc Regards, Janar Kokk [EMAIL PROTECTED] - Original Message - From: "Cecil Watson" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 11, 2000 6:36 PM Subject: Re: [expert] backround processes Use the after the program name: ie gftp , netscape
Re: [expert] backround processes
Thus spake Janar Kokk ([EMAIL PROTECTED]): I think you didn't understood my question. I want to not allow my machine's users to run any backround processes such as eggdrop etc You can use ulimit to limit the number of processes, but don't set it to 1 or they won't be able to run *anything* - bash (and other shells) fork a new process for each command. -- |Deryk Barker, Computer Science Dept. | Music does not have to be understood| |Camosun College, Victoria, BC, Canada| It has to be listened to. | |email: [EMAIL PROTECTED] | | |phone: +1 250 370 4452 | Hermann Scherchen. |
Re: [expert] backround processes
Deryk Barker wrote: Thus spake Janar Kokk ([EMAIL PROTECTED]): I think you didn't understood my question. I want to not allow my machine's users to run any backround processes such as eggdrop etc You can use ulimit to limit the number of processes, but don't set it to 1 or they won't be able to run *anything* - bash (and other shells) fork a new process for each command. And, to worsen matters, how would they run some of the ordinary programs that use background processes? I think it might be a bit to embedded to exclude. OTOH, if you have a list of what you do not want users to run... Easily done with permissions. And with ulimit, what about netscape? It runs as a child of a library process and each netscape window Errrk. Guess you wouldn't have asked if it was easy to figure out :-}. Civileme
Re: [expert] backround processes
Sorry for butting in again, but one possibility might be to do what is done By Bastille Linux and make it impossible for users to compile anything on the computer. Limiting that ability to root only. This wouldn't prevent a binary load I know but if they can't compile and only root can access /var/lib/rpm/packages.rpm it would severely cripple the ability of most (not all but most) users from running any of these processes because they can't easily load them onto the computer. I realize this might not be an answer to what you need, but I hope it helps in some way. Nightwriter At 08:34 PM 7/11/00, you wrote: Deryk Barker wrote: Thus spake Janar Kokk ([EMAIL PROTECTED]): I think you didn't understood my question. I want to not allow my machine's users to run any backround processes such as eggdrop etc You can use ulimit to limit the number of processes, but don't set it to 1 or they won't be able to run *anything* - bash (and other shells) fork a new process for each command. And, to worsen matters, how would they run some of the ordinary programs that use background processes? I think it might be a bit to embedded to exclude. OTOH, if you have a list of what you do not want users to run... Easily done with permissions. And with ulimit, what about netscape? It runs as a child of a library process and each netscape window Errrk. Guess you wouldn't have asked if it was easy to figure out :-}. Civileme