From owner-freebsd-security  Thu Jan 25 11:16:12 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189])
	by hub.freebsd.org (Postfix) with SMTP id 2DDA937B6AD
	for <freebsd-security@freebsd.org>; Thu, 25 Jan 2001 11:15:50 -0800 (PST)
Received: (qmail 2040 invoked by uid 1000); 25 Jan 2001 19:14:18 -0000
Date: Thu, 25 Jan 2001 21:14:18 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: Allen Edwards <aedwards@hiqinternet.com>
Cc: freebsd-security@freebsd.org
Subject: Re: Newbie Post - Limiting processes
Message-ID: <20010125211418.B1122@ringworld.oblivion.bg>
Mail-Followup-To: Allen Edwards <aedwards@hiqinternet.com>,
	freebsd-security@freebsd.org
References: <NCBBKJBPKLMFELAPAEHGIELPCCAA.aedwards@hiqinternet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <NCBBKJBPKLMFELAPAEHGIELPCCAA.aedwards@hiqinternet.com>; from aedwards@hiqinternet.com on Thu, Jan 25, 2001 at 01:31:42PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Jan 25, 2001 at 01:31:42PM -0500, Allen Edwards wrote:
> Feel free to flame the newbie if he asks an off topic question (great now
> I'm talking about myself in the 3rd person).
> 
> Is there a way to limit a user to a certain number of processes?  e.g. one
> foreground and one background process.
> 
> I am working on providing some shell accounts to a few clients who have
> requested it and have heard of persons doing this.

Well, you can limit the total number of processes a user is allowed
to run at any given time, background or foreground alike.  Look at
the login.conf(5) manpage; you can define a custom login class
for your shell users, so that limits are only enforced for them,
and not for your privileged admin logins.  'maxproc' is the setting
for the total number of processes; I don't think you can control
the number of background processes, but if your users happen to run
too many of those, they will not even be able to login later :)

Actually, *one* foreground process is a bit too much - you need
at least one for the shell and one for any program the user might
run.  Each shell pipe and/or other program fork is one more process.
So.. tread lightly :)

G'luck,
Peter

-- 
I've heard that this sentence is a rumor.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message