> On Sun, 17 Mar 1996, Doug Ledford wrote:
>
> > The solution I'm looking for here is something like what SCO has in their
> > Unix. In other words, ulimit statements in the /etc/profile can be
> > circumvented by a regular user, at least by one who has the experience
> > and knowledge to be a hacker. I want something that isn't so easily
> > circumvented, and the best (only?) place I can think of to put it is in
> > the kernel since it handles all memory allocation anyway.
>
> Couldn't you create a custom bash (or whatever) shell that invokes setrlimit
> on itself at startup, and assign this as the user's shell? The only way I can
> see around this is if you can start programs outside of the shell, either by
> hacking the root or via some deamon. If root is secure, and cron and sendmail
> are properly dealt with, I'm not sure if there is much of a problem left that
> requires kernel intervention.
Yes, setrlimit calls which set the `hard' limit values should be able to do
this. But the place to do it is in your login.c, and probably in `su'....
Alan Cox suggests there's an alternate login.c floating around Sunsite that
does this. It seems to me that BSD has a format for various /etc/passwd
fields that enforce these limits for the various resources, though I don't
know if that alternate login.c uses said format. Seems to me this would be
a very good project for an ISP, if there's nothing readily available....
lilo