limits do not apply
rozhuk.im at gmail.com
rozhuk.im at gmail.com
Mon Nov 7 04:52:45 UTC 2011
At system startup, the init script is run with limits calculated on the
basis of the core MAXFILES.
After you run sysctl limits of the system may be altered, for example
"kern.maxfilesperproc", but the script will continue to work with the old
values.
This is bad in two ways:
1. When using the "chroot", so that the command does not execute logon for
the user: limits and environmental variables remain the same, just replaced
the uid and gid of the running process.
2. When not specified "user" - the process starts with the limits of the
environment and startup script.
# limits
Resource limits (current):
...
openfiles 200000
...
# sysctl kern.maxfilesperproc=200001
kern.maxfilesperproc: 200000 -> 200001
# limits
Resource limits (current):
...
openfiles 200000
...
# su -m root -c 'limits'
Resource limits (current):
...
openfiles 200001
# chroot -u root / /usr/bin/limits
Resource limits (current):
...
openfiles 200000
...
Scripts for which the specified user inherit it from the startup script,
rather than generate it based on the settings for the user.
#su -m mysql -c '/bin/sh -c "/usr/bin/env"'
...
USER=root
MAIL=/var/mail/root
HOME=/root
LOGNAME=root
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin
:/root/bin
...
To run the scripts with the correct limits, the environment, the priority
and chroot - need a tool combines the chroot, su, nice, chdir but deprived
of their shortcomings.
su - is focused on a shell
chroot - does not make the logon
nice - there is no overlap in the chroot or su "SHELL" should be inherited
from a parent script, because many accounts is established:
SHELL="/usr/sbin/nologin"
--
Rozhuk Ivan
More information about the freebsd-hackers
mailing list