maxproc per jail

[Jille Timmermans]

Nicolas de Bari Embriz Garcia Rojas schreef:
> A friend suggested to schg the rc.conf and login.conf of the jail and
> put the root user in a login class with some strict perms. maybe can be
> a solution.
login.conf sets rlimit; but root ignores them, so that isn't of much use.
(I'm not 100% sure, you can give it a try)

You can also try sysctl security.bsd.suser_enabled=0; but that will also
disable root outside the jail.
Patching the kernel to ignore root in jails is not very hard I think.
Writing that, it might also be easy to patch the kernel so that
root-in-jail doesn't override rlimits.

-- Jille
> 
> regards.
> -- 
>> nbari
> 
> On Mar 17, 2009, at 1:27 PM, Jille Timmermans wrote:
> 
>> Nicolas de Bari Embriz Garcia Rojas schreef:
>>> Hi, thanks for the answer just on question how to setup rlimit for jails
>>> ? any ideas
>> I'm sorry for leaving that unclear; there is no rlimit for jails atm.
>> But if someone wants to create a root-proof protection, I think that is
>> the way to go. (being able to limit everything that rlimit can limit for
>> single processes now)
>>
>> I unfortunately can't find the patch I mentioned, must have lost that
>> during some disk-crash.
>>
>> So, I am afraid there is nothing I can do to help you.
>>
>> -- Jille
>>>
>>> regards.
>>> -- 
>>>> nbari
>>>
>>> On Mar 17, 2009, at 8:45 AM, Jille Timmermans wrote:
>>>
>>>> Nicolas de Bari Embriz Garcia Rojas schreef:
>>>>> Hi all, it is posible to limite the maxproc per jail ?
>>>> No, I wrote a patch once; I will take a look whether I still have it
>>>> somewhere.
>>>> But the patch only limits the number of processes, not memory nor open
>>>> files.
>>>> The best thing to do (I think) is create some rlimit for jails.
>>>>
>>>> -- Jille
>>>>> or how to put a protection to the main host in case the root user of
>>>>> a jail try to make  a fork bom.
>>>>> regards.
>>>>> -- 
>>>>>> nbari
>>>
>