Date: Sat, 10 Apr 1999 13:11:45 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Dmitry Valdov <dv@dv.ru> Cc: Brian Feldman <green@unixhelp.org>, freebsd-current@FreeBSD.ORG Subject: Re: DoS from local users (fwd) Message-ID: <199904102011.NAA01133@apollo.backplane.com> References: <Pine.BSF.3.95q.990410232904.6263A-100000@xkis.kis.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
It is not possible to prevent a user from hogging the cpu on the system.
What you *CAN* do is make it difficult for the user to crash the system
by limiting the number of processes he is allowed to run, the maximum
data segment size each process is allowed to allocate, and by placing
quotas on disk partitions he has write access to. This allows a
sysop to get on the system and blow the idiot user away without having
to reboot.
cpu utilization has nothing to do with system cpu verses user cpu. cpu
is cpu. One process can hog the cpu, it doesn't really matter whether
it is supervisor or user mode cpu. The system will attempt to balance
cpu utilization when several processes need cpu. The worst a user can
do cpu-wise is to start N cpu-bound processes.
Starting N cpu-bound processes will drive the load up on the machine, but
as long as N is limited it will not prevent a sysop from getting in there
and taking out the user.
You don't give user accounts away to people who you think might
try to crash the system, so resource limits are mostly there to prevent
users making stupid mistakes from taking the system down with them.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199904102011.NAA01133>