From igraltist at rsbac.org Sat Jan 15 16:59:33 2011 From: igraltist at rsbac.org (Jens Kasten) Date: Sat, 15 Jan 2011 16:59:33 +0100 Subject: [rsbac] umount Message-ID: <1295107173.9178.5.camel@jaschtschik-pc> Hi list, again there is an umount issue. I use the kernel 2.6.35.10. As filesystem i use ext4. I mount a snapshot from rootfs to make a copy of it to create a new rootfs with ext3 to see if the FF issue is depend on filesystem. Sat Jan 15 16:53:35 2011 :<4>0000001056|do_umount() [sys_umount()]: umount failed -> calling rsbac_mount for Device 253:22 The command fuse /mount_point shows nothing. In the same time the partion with ext3 filesystem can umount. Gr?sse Jens From igraltist at rsbac.org Sun Jan 16 10:20:54 2011 From: igraltist at rsbac.org (Jens Kasten) Date: Sun, 16 Jan 2011 10:20:54 +0100 Subject: [rsbac] UM Message-ID: <1295169654.5782.14.camel@jaschtschik-pc> Hi list, I am using UM for user authentification. I must set sufficient and not required for categorie auth in /etc/pam.d/system-auth otherwise it does not work. This I see in the log message. Jan 16 10:06:19 jaschtschik su[9778]: pam_authenticate: Authentication failure Jan 16 10:06:19 jaschtschik su[9778]: FAILED su for root by jens Jan 16 10:06:19 jaschtschik su[9778]: - /dev/pts/2 jens:root Latest rsbac-admin-tools 1.4.5 and kernel 2.6.35.10 from git. /etc/pamd.d/system-auth: auth required pam_env.so auth sufficient pam_rsbac.so #auth required pam_rsbac.so try_first_pass likeauth nullok auth required pam_deny.so account required pam_rsbac.so account optional pam_permit.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 password required pam_rsbac.so password required pam_deny.so session required pam_limits.so session required pam_env.so session required pam_rsbac.so session optional pam_permit.so /etc/nsswitch.conf: passwd: rsbac shadow: rsbac group: rsbac kernel-configuration for um: CONFIG_RSBAC_UM=y CONFIG_RSBAC_UM_DIGEST=y CONFIG_RSBAC_UM_USER_MIN=2000 CONFIG_RSBAC_UM_GROUP_MIN=2000 CONFIG_RSBAC_UM_EXCL=y CONFIG_RSBAC_UM_MIN_PASS_LEN=6 CONFIG_RSBAC_UM_NON_ALPHA=y CONFIG_RSBAC_UM_PWHISTORY=y CONFIG_RSBAC_UM_PWHISTORY_MAX=8 CONFIG_RSBAC_UM_ONETIME=y CONFIG_RSBAC_UM_ONETIME_MAX=100 CONFIG_RSBAC_UM_VIRTUAL=y CONFIG_RSBAC_UM_VIRTUAL_ISOLATE=y CONFIG_RSBAC_AUTH_UM_PROT=y CONFIG_RSBAC_ACL_UM_PROT=y CONFIG_RSBAC_FF_UM_PROT=y Gr?sse Jens From igraltist at rsbac.org Sun Jan 16 16:12:30 2011 From: igraltist at rsbac.org (Jens Kasten) Date: Sun, 16 Jan 2011 16:12:30 +0100 Subject: [rsbac] kvm-guest in jail Message-ID: <1295190750.6778.8.camel@jaschtschik-pc> Hi list, I try to run a kvm-guest in a jail. My network setup for is bridged. The monitor option when I use tcp socket instead unix socket is available on the host. For monitor I would prefer to use the unix socket. But then I get: Sun Jan 16 14:34:27 2011 :<7>0000000864|rsbac_adf_request_jail(): process jail is 35, no allow_ipc and partner process unknown -> NOT_GRANTED! Sun Jan 16 14:34:27 2011 :<6>0000000865|rsbac_adf_request(): request ACCEPT, pid 9624, ppid 1, prog_name debian, prog_file /usr/bin/qemu-system-x86_64, uid 0, remote ip 192.168.1.5, target_type UNIXSOCK, tid Device 253:24 Inode 55284 Path /var/run/kvm/debian.socket, attr sock_type, value STREAM, result NOT_GRANTED by JAIL For network setup adding the iface to the bridge does not work. If really all fail I could use routing for guests. This command I use to start a guest: /usr/local/bin/rsbac_jail -I 0.0.0.0 -d -D -K -E -C NET_RAW DAC_OVERRIDE DAC_READ_SEARCH NET_ADMIN -M network sysctl /usr/bin/kvm-admin debian boot And this shows the logfile: Sun Jan 16 16:00:22 2011 :<6>0000001178|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 16483, ppid 16482, prog_name brctl, prog_file /sbin/brctl, uid 0, remote ip 127.0.0.1, target_type NETDEV, tid local, attr none, value none, result NOT_GRANTED by JAIL Gr?sse Jens From aleph at mandriva.org Mon Jan 17 07:51:33 2011 From: aleph at mandriva.org (Gergely =?UTF-8?Q?L=C3=B3nyai?=) Date: Sun, 16 Jan 2011 23:51:33 -0700 Subject: [rsbac] UM Message-ID: <20110116235133.9b05b4e5e48d18b6dc565714b379f9f0.1729865116.wbe@email10.secureserver.net> > -------- Original Message -------- > Subject: [rsbac] UM > From: Jens Kasten > Date: Sun, January 16, 2011 10:20 am > To: rsbac-mailing-list > > > Hi list, > > I am using UM for user authentification. > > I must set sufficient and not required for categorie auth > in /etc/pam.d/system-auth otherwise it does not work. > > This I see in the log message. > > Jan 16 10:06:19 jaschtschik su[9778]: pam_authenticate: Authentication > failure > Jan 16 10:06:19 jaschtschik su[9778]: FAILED su for root by jens > Jan 16 10:06:19 jaschtschik su[9778]: - /dev/pts/2 jens:root > > Latest rsbac-admin-tools 1.4.5 and kernel 2.6.35.10 from git. > > /etc/pamd.d/system-auth: > auth required pam_env.so > auth sufficient pam_rsbac.so > #auth required pam_rsbac.so try_first_pass likeauth nullok > auth required pam_deny.so > > account required pam_rsbac.so > account optional pam_permit.so > > password required pam_cracklib.so difok=2 minlen=8 dcredit=2 > ocredit=2 try_first_pass retry=3 > password required pam_rsbac.so > password required pam_deny.so > > session required pam_limits.so > session required pam_env.so > session required pam_rsbac.so > session optional pam_permit.so > > /etc/nsswitch.conf: > passwd: rsbac > shadow: rsbac > group: rsbac > > kernel-configuration for um: > CONFIG_RSBAC_UM=y > CONFIG_RSBAC_UM_DIGEST=y > CONFIG_RSBAC_UM_USER_MIN=2000 > CONFIG_RSBAC_UM_GROUP_MIN=2000 > CONFIG_RSBAC_UM_EXCL=y > CONFIG_RSBAC_UM_MIN_PASS_LEN=6 > CONFIG_RSBAC_UM_NON_ALPHA=y > CONFIG_RSBAC_UM_PWHISTORY=y > CONFIG_RSBAC_UM_PWHISTORY_MAX=8 > CONFIG_RSBAC_UM_ONETIME=y > CONFIG_RSBAC_UM_ONETIME_MAX=100 > CONFIG_RSBAC_UM_VIRTUAL=y > CONFIG_RSBAC_UM_VIRTUAL_ISOLATE=y > CONFIG_RSBAC_AUTH_UM_PROT=y > CONFIG_RSBAC_ACL_UM_PROT=y > CONFIG_RSBAC_FF_UM_PROT=y > > Gr?sse > Jens > Hi, Do you set up the root's password after user import with rsbac_passwd? Aleph From igraltist at rsbac.org Mon Jan 17 08:45:38 2011 From: igraltist at rsbac.org (Jens Kasten) Date: Mon, 17 Jan 2011 08:45:38 +0100 Subject: [rsbac] UM In-Reply-To: <20110116235133.9b05b4e5e48d18b6dc565714b379f9f0.1729865116.wbe@email10.secureserver.net> References: <20110116235133.9b05b4e5e48d18b6dc565714b379f9f0.1729865116.wbe@email10.secureserver.net> Message-ID: <1295250338.9203.2.camel@jaschtschik-pc> Am Sonntag, den 16.01.2011, 23:51 -0700 schrieb Gergely L?nyai: > > -------- Original Message -------- > > Subject: [rsbac] UM > > From: Jens Kasten > > Date: Sun, January 16, 2011 10:20 am > > To: rsbac-mailing-list > > > > > > Hi list, > > > > I am using UM for user authentification. > > > > I must set sufficient and not required for categorie auth > > in /etc/pam.d/system-auth otherwise it does not work. > > > > This I see in the log message. > > > > Jan 16 10:06:19 jaschtschik su[9778]: pam_authenticate: Authentication > > failure > > Jan 16 10:06:19 jaschtschik su[9778]: FAILED su for root by jens > > Jan 16 10:06:19 jaschtschik su[9778]: - /dev/pts/2 jens:root > > > > Latest rsbac-admin-tools 1.4.5 and kernel 2.6.35.10 from git. > > > > /etc/pamd.d/system-auth: > > auth required pam_env.so > > auth sufficient pam_rsbac.so > > #auth required pam_rsbac.so try_first_pass likeauth nullok > > auth required pam_deny.so > > > > account required pam_rsbac.so > > account optional pam_permit.so > > > > password required pam_cracklib.so difok=2 minlen=8 dcredit=2 > > ocredit=2 try_first_pass retry=3 > > password required pam_rsbac.so > > password required pam_deny.so > > > > session required pam_limits.so > > session required pam_env.so > > session required pam_rsbac.so > > session optional pam_permit.so > > > > /etc/nsswitch.conf: > > passwd: rsbac > > shadow: rsbac > > group: rsbac > > > > kernel-configuration for um: > > CONFIG_RSBAC_UM=y > > CONFIG_RSBAC_UM_DIGEST=y > > CONFIG_RSBAC_UM_USER_MIN=2000 > > CONFIG_RSBAC_UM_GROUP_MIN=2000 > > CONFIG_RSBAC_UM_EXCL=y > > CONFIG_RSBAC_UM_MIN_PASS_LEN=6 > > CONFIG_RSBAC_UM_NON_ALPHA=y > > CONFIG_RSBAC_UM_PWHISTORY=y > > CONFIG_RSBAC_UM_PWHISTORY_MAX=8 > > CONFIG_RSBAC_UM_ONETIME=y > > CONFIG_RSBAC_UM_ONETIME_MAX=100 > > CONFIG_RSBAC_UM_VIRTUAL=y > > CONFIG_RSBAC_UM_VIRTUAL_ISOLATE=y > > CONFIG_RSBAC_AUTH_UM_PROT=y > > CONFIG_RSBAC_ACL_UM_PROT=y > > CONFIG_RSBAC_FF_UM_PROT=y > > > > Gr?sse > > Jens > > > Hi, > > Do you set up the root's password after user import with rsbac_passwd? Yes I have. I have removed the files passwd, group, and shadow. > Aleph > > _______________________________________________ > rsbac mailing list > rsbac at rsbac.org > http://www.rsbac.org/mailman/listinfo/rsbac From gergely at lonyai.com Mon Jan 17 09:14:19 2011 From: gergely at lonyai.com (Gergely =?UTF-8?Q?L=C3=B3nyai?=) Date: Mon, 17 Jan 2011 01:14:19 -0700 Subject: [rsbac] UM Message-ID: <20110117011419.9b05b4e5e48d18b6dc565714b379f9f0.cfae8c947b.wbe@email10.secureserver.net> > -------- Original Message -------- > Subject: Re: [rsbac] UM > From: Jens Kasten > Date: Mon, January 17, 2011 8:45 am > To: RSBAC Discussion and Announcements > > > Am Sonntag, den 16.01.2011, 23:51 -0700 schrieb Gergely L?nyai: > > > -------- Original Message -------- > > > Subject: [rsbac] UM > > > From: Jens Kasten > > > Date: Sun, January 16, 2011 10:20 am > > > To: rsbac-mailing-list > > > > > > > > > Hi list, > > > > > > I am using UM for user authentification. > > > > > > I must set sufficient and not required for categorie auth > > > in /etc/pam.d/system-auth otherwise it does not work. > > > > > > This I see in the log message. > > > > > > Jan 16 10:06:19 jaschtschik su[9778]: pam_authenticate: Authentication > > > failure > > > Jan 16 10:06:19 jaschtschik su[9778]: FAILED su for root by jens > > > Jan 16 10:06:19 jaschtschik su[9778]: - /dev/pts/2 jens:root > > > > > > Latest rsbac-admin-tools 1.4.5 and kernel 2.6.35.10 from git. > > > > > > /etc/pamd.d/system-auth: > > > auth required pam_env.so > > > auth sufficient pam_rsbac.so > > > #auth required pam_rsbac.so try_first_pass likeauth nullok > > > auth required pam_deny.so > > > > > > account required pam_rsbac.so > > > account optional pam_permit.so > > > > > > password required pam_cracklib.so difok=2 minlen=8 dcredit=2 > > > ocredit=2 try_first_pass retry=3 > > > password required pam_rsbac.so > > > password required pam_deny.so > > > > > > session required pam_limits.so > > > session required pam_env.so > > > session required pam_rsbac.so > > > session optional pam_permit.so > > > > > > /etc/nsswitch.conf: > > > passwd: rsbac > > > shadow: rsbac > > > group: rsbac > > > > > > kernel-configuration for um: > > > CONFIG_RSBAC_UM=y > > > CONFIG_RSBAC_UM_DIGEST=y > > > CONFIG_RSBAC_UM_USER_MIN=2000 > > > CONFIG_RSBAC_UM_GROUP_MIN=2000 > > > CONFIG_RSBAC_UM_EXCL=y > > > CONFIG_RSBAC_UM_MIN_PASS_LEN=6 > > > CONFIG_RSBAC_UM_NON_ALPHA=y > > > CONFIG_RSBAC_UM_PWHISTORY=y > > > CONFIG_RSBAC_UM_PWHISTORY_MAX=8 > > > CONFIG_RSBAC_UM_ONETIME=y > > > CONFIG_RSBAC_UM_ONETIME_MAX=100 > > > CONFIG_RSBAC_UM_VIRTUAL=y > > > CONFIG_RSBAC_UM_VIRTUAL_ISOLATE=y > > > CONFIG_RSBAC_AUTH_UM_PROT=y > > > CONFIG_RSBAC_ACL_UM_PROT=y > > > CONFIG_RSBAC_FF_UM_PROT=y > > > > > > Gr?sse > > > Jens > > > > > Hi, > > > > Do you set up the root's password after user import with rsbac_passwd? > > Yes I have. I have removed the files passwd, group, and shadow. > No, I did not speak it. Do you update the rsbac passwords with rsbac tool? The user import does not import the old password. The rsbac password encoder not compatible the pam password storage. Aleph From igraltist at rsbac.org Mon Jan 17 09:22:49 2011 From: igraltist at rsbac.org (Jens Kasten) Date: Mon, 17 Jan 2011 09:22:49 +0100 Subject: [rsbac] UM In-Reply-To: <20110117011419.9b05b4e5e48d18b6dc565714b379f9f0.cfae8c947b.wbe@email10.secureserver.net> References: <20110117011419.9b05b4e5e48d18b6dc565714b379f9f0.cfae8c947b.wbe@email10.secureserver.net> Message-ID: <1295252569.9574.4.camel@jaschtschik-pc> Am Montag, den 17.01.2011, 01:14 -0700 schrieb Gergely L?nyai: > > -------- Original Message -------- > > Subject: Re: [rsbac] UM > > From: Jens Kasten > > Date: Mon, January 17, 2011 8:45 am > > To: RSBAC Discussion and Announcements > > > > > > Am Sonntag, den 16.01.2011, 23:51 -0700 schrieb Gergely L?nyai: > > > > -------- Original Message -------- > > > > Subject: [rsbac] UM > > > > From: Jens Kasten > > > > Date: Sun, January 16, 2011 10:20 am > > > > To: rsbac-mailing-list > > > > > > > > > > > > Hi list, > > > > > > > > I am using UM for user authentification. > > > > > > > > I must set sufficient and not required for categorie auth > > > > in /etc/pam.d/system-auth otherwise it does not work. > > > > > > > > This I see in the log message. > > > > > > > > Jan 16 10:06:19 jaschtschik su[9778]: pam_authenticate: Authentication > > > > failure > > > > Jan 16 10:06:19 jaschtschik su[9778]: FAILED su for root by jens > > > > Jan 16 10:06:19 jaschtschik su[9778]: - /dev/pts/2 jens:root > > > > > > > > Latest rsbac-admin-tools 1.4.5 and kernel 2.6.35.10 from git. > > > > > > > > /etc/pamd.d/system-auth: > > > > auth required pam_env.so > > > > auth sufficient pam_rsbac.so > > > > #auth required pam_rsbac.so try_first_pass likeauth nullok > > > > auth required pam_deny.so > > > > > > > > account required pam_rsbac.so > > > > account optional pam_permit.so > > > > > > > > password required pam_cracklib.so difok=2 minlen=8 dcredit=2 > > > > ocredit=2 try_first_pass retry=3 > > > > password required pam_rsbac.so > > > > password required pam_deny.so > > > > > > > > session required pam_limits.so > > > > session required pam_env.so > > > > session required pam_rsbac.so > > > > session optional pam_permit.so > > > > > > > > /etc/nsswitch.conf: > > > > passwd: rsbac > > > > shadow: rsbac > > > > group: rsbac > > > > > > > > kernel-configuration for um: > > > > CONFIG_RSBAC_UM=y > > > > CONFIG_RSBAC_UM_DIGEST=y > > > > CONFIG_RSBAC_UM_USER_MIN=2000 > > > > CONFIG_RSBAC_UM_GROUP_MIN=2000 > > > > CONFIG_RSBAC_UM_EXCL=y > > > > CONFIG_RSBAC_UM_MIN_PASS_LEN=6 > > > > CONFIG_RSBAC_UM_NON_ALPHA=y > > > > CONFIG_RSBAC_UM_PWHISTORY=y > > > > CONFIG_RSBAC_UM_PWHISTORY_MAX=8 > > > > CONFIG_RSBAC_UM_ONETIME=y > > > > CONFIG_RSBAC_UM_ONETIME_MAX=100 > > > > CONFIG_RSBAC_UM_VIRTUAL=y > > > > CONFIG_RSBAC_UM_VIRTUAL_ISOLATE=y > > > > CONFIG_RSBAC_AUTH_UM_PROT=y > > > > CONFIG_RSBAC_ACL_UM_PROT=y > > > > CONFIG_RSBAC_FF_UM_PROT=y > > > > > > > > Gr?sse > > > > Jens > > > > > > > Hi, > > > > > > Do you set up the root's password after user import with rsbac_passwd? > > > > Yes I have. I have removed the files passwd, group, and shadow. > > > > No, I did not speak it. Do you update the rsbac passwords with rsbac > tool? The user import does not import the old password. The rsbac > password encoder not compatible the pam password storage. You mean, rsbac_passwd -n root? The password's are added with this. > Aleph > > _______________________________________________ > rsbac mailing list > rsbac at rsbac.org > http://www.rsbac.org/mailman/listinfo/rsbac From jens at kasten-edv.de Mon Jan 17 09:34:08 2011 From: jens at kasten-edv.de (Jens Kasten) Date: Mon, 17 Jan 2011 09:34:08 +0100 Subject: [rsbac] UM In-Reply-To: <1295252569.9574.4.camel@jaschtschik-pc> References: <20110117011419.9b05b4e5e48d18b6dc565714b379f9f0.cfae8c947b.wbe@email10.secureserver.net> <1295252569.9574.4.camel@jaschtschik-pc> Message-ID: <1295253248.9574.8.camel@jaschtschik-pc> Am Montag, den 17.01.2011, 09:22 +0100 schrieb Jens Kasten: > Am Montag, den 17.01.2011, 01:14 -0700 schrieb Gergely L?nyai: > > > -------- Original Message -------- > > > Subject: Re: [rsbac] UM > > > From: Jens Kasten > > > Date: Mon, January 17, 2011 8:45 am > > > To: RSBAC Discussion and Announcements > > > > > > > > > Am Sonntag, den 16.01.2011, 23:51 -0700 schrieb Gergely L?nyai: > > > > > -------- Original Message -------- > > > > > Subject: [rsbac] UM > > > > > From: Jens Kasten > > > > > Date: Sun, January 16, 2011 10:20 am > > > > > To: rsbac-mailing-list > > > > > > > > > > > > > > > Hi list, > > > > > > > > > > I am using UM for user authentification. > > > > > > > > > > I must set sufficient and not required for categorie auth > > > > > in /etc/pam.d/system-auth otherwise it does not work. > > > > > > > > > > This I see in the log message. > > > > > > > > > > Jan 16 10:06:19 jaschtschik su[9778]: pam_authenticate: Authentication > > > > > failure > > > > > Jan 16 10:06:19 jaschtschik su[9778]: FAILED su for root by jens > > > > > Jan 16 10:06:19 jaschtschik su[9778]: - /dev/pts/2 jens:root > > > > > > > > > > Latest rsbac-admin-tools 1.4.5 and kernel 2.6.35.10 from git. > > > > > > > > > > /etc/pamd.d/system-auth: > > > > > auth required pam_env.so > > > > > auth sufficient pam_rsbac.so > > > > > #auth required pam_rsbac.so try_first_pass likeauth nullok > > > > > auth required pam_deny.so > > > > > > > > > > account required pam_rsbac.so > > > > > account optional pam_permit.so > > > > > > > > > > password required pam_cracklib.so difok=2 minlen=8 dcredit=2 > > > > > ocredit=2 try_first_pass retry=3 > > > > > password required pam_rsbac.so > > > > > password required pam_deny.so > > > > > > > > > > session required pam_limits.so > > > > > session required pam_env.so > > > > > session required pam_rsbac.so > > > > > session optional pam_permit.so > > > > > > > > > > /etc/nsswitch.conf: > > > > > passwd: rsbac > > > > > shadow: rsbac > > > > > group: rsbac > > > > > > > > > > kernel-configuration for um: > > > > > CONFIG_RSBAC_UM=y > > > > > CONFIG_RSBAC_UM_DIGEST=y > > > > > CONFIG_RSBAC_UM_USER_MIN=2000 > > > > > CONFIG_RSBAC_UM_GROUP_MIN=2000 > > > > > CONFIG_RSBAC_UM_EXCL=y > > > > > CONFIG_RSBAC_UM_MIN_PASS_LEN=6 > > > > > CONFIG_RSBAC_UM_NON_ALPHA=y > > > > > CONFIG_RSBAC_UM_PWHISTORY=y > > > > > CONFIG_RSBAC_UM_PWHISTORY_MAX=8 > > > > > CONFIG_RSBAC_UM_ONETIME=y > > > > > CONFIG_RSBAC_UM_ONETIME_MAX=100 > > > > > CONFIG_RSBAC_UM_VIRTUAL=y > > > > > CONFIG_RSBAC_UM_VIRTUAL_ISOLATE=y > > > > > CONFIG_RSBAC_AUTH_UM_PROT=y > > > > > CONFIG_RSBAC_ACL_UM_PROT=y > > > > > CONFIG_RSBAC_FF_UM_PROT=y > > > > > > > > > > Gr?sse > > > > > Jens > > > > > > > > > Hi, > > > > > > > > Do you set up the root's password after user import with rsbac_passwd? > > > > > > Yes I have. I have removed the files passwd, group, and shadow. > > > > > > > No, I did not speak it. Do you update the rsbac passwords with rsbac > > tool? The user import does not import the old password. The rsbac > > password encoder not compatible the pam password storage. > > You mean, rsbac_passwd -n root? > The password's are added with this. This was wrong in my system-auth file. auth required pam_deny.so When I uncomment it than its work. Maybe there was a differnet between the pam-1.0 and befor. I don't know. > > Aleph > > > > _______________________________________________ > > rsbac mailing list > > rsbac at rsbac.org > > http://www.rsbac.org/mailman/listinfo/rsbac > > > _______________________________________________ > rsbac mailing list > rsbac at rsbac.org > http://www.rsbac.org/mailman/listinfo/rsbac From igraltist at rsbac.org Mon Jan 17 10:40:00 2011 From: igraltist at rsbac.org (Jens Kasten) Date: Mon, 17 Jan 2011 10:40:00 +0100 Subject: [rsbac] RES Message-ID: <1295257200.10118.4.camel@jaschtschik-pc> Hi list, I set up the follow for RES: attr_set_user RES $user res_max fsize 250000 # user won t create file more than 1G (block size = 4096) attr_set_user RES $user res_max stack 100000 # user stack won t get bigger than 100 KB attr_set_user RES $user res_max nofile 1024 # user won t open more than 1024 fds at a time attr_set_user RES $user res_min core -1 # user will coredump by default attr_set_user RES $user res_max nproc 200 # user won t start more than 200 process attr_set_user RES $user res_max as 100000000 # user s process won t get bigger than 100MB Then I call the python script ps-jail and I get: Jan 17 10:31:43 jaschtschik kernel: ps-jail[21077]: segfault at 3c0639ebf18 ip 000002be1843366c sp 000003c0639ebf20 error 6 in libpython2.6.so.1.0[2be1832e000+173000] Should the RES module not simply stop it if the script need more resources? Gr?sse Jens From ao at rsbac.org Mon Jan 17 10:57:47 2011 From: ao at rsbac.org (Amon Ott) Date: Mon, 17 Jan 2011 10:57:47 +0100 Subject: [rsbac] RES In-Reply-To: <1295257200.10118.4.camel@jaschtschik-pc> References: <1295257200.10118.4.camel@jaschtschik-pc> Message-ID: <201101171057.48520.ao@rsbac.org> On Monday 17 January 2011 wrote Jens Kasten: > I set up the follow for RES: > > attr_set_user RES $user res_max fsize 250000 # user won t create file > more than 1G (block size = 4096) This value is in bytes, so 250000 bytes, not 1G. > attr_set_user RES $user res_max stack 100000 # user stack won t get > bigger than 100 KB > attr_set_user RES $user res_max nofile 1024 # user won t open more > than 1024 fds at a time > attr_set_user RES $user res_min core -1 # user will coredump by > default > attr_set_user RES $user res_max nproc 200 # user won t start more > than 200 process > attr_set_user RES $user res_max as 100000000 # user s process won t > get bigger than 100MB > > > Then I call the python script ps-jail and I get: > Jan 17 10:31:43 jaschtschik kernel: ps-jail[21077]: segfault at > 3c0639ebf18 ip 000002be1843366c sp 000003c0639ebf20 error 6 in > libpython2.6.so.1.0[2be1832e000+173000] > > Should the RES module not simply stop it if the script need more > resources? RES only changes the standard kernel resource settings, it does not check itself. So this is not possible. Also, it is not possible to know in advance how much memory a process will try to allocate (this is a variant of the turing problem :). Amon. -- http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22