[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-hackers
Subject:    Re: Keeping a large shellbox stable and secure
From:       Philip Reynolds <philip.reynolds () rfc-networks ! ie>
Date:       2003-04-24 11:36:31
[Download RAW message or body]

Peter <pfak@telus.net> 43 lines of wisdom included:
> Are there any proven methods that you have used? System tweaks, etc. That
> seem to work under high system loads? Such as sysctl.conf, rc.conf, etc.

login.conf should be all you need to keep the ulimits of users down.

Give users finite CPU time, VM size (and whatever other options you
can) etc.

Play around with it before you let users on the box. Try a few
sample C programs to see if you can crash the box

--------------------8<---------------------
/* The timeless while(1) fork(); program */

#include <sys/types.h>
#include <unistd.h>

int
main(int argc, char **argv)
{
	while(1)
		fork();
}

-------------------->8---------------------

The above program, for instance, should stop after a few seconds
with an error (something equivalent to resources unavailable) 

Some sample settings would be:

default:\
## ...
	:cputime=500:\
	:datasize=50M:\
	:stacksize:40M:\
	:memorylocked=30M:\
	:memoryuse=30M:\
	:filesize=50M:\
	:openfiles=300:\
	:maxproc=50:\
	:sbsize=50M:\
	:vmemoryuse=75M:\
	:priority=0:

There might be some things I left out there (core file size etc.)
and some other settings. You're going to need to tweak these
settings according to your machine specifications and how high a
load your system is under.

Remember to run ``cap_mkdb /etc/login.conf'' after changes to the file.

-- 
Philip Reynolds                      | RFC Networks Ltd.
philip.reynolds@rfc-networks.ie      | +353 (0)1 8832063
http://people.rfc-networks.ie/~phil  | www.rfc-networks.ie
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic