Date: Wed, 2 Mar 2011 07:41:35 +0100 From: =?iso-8859-2?Q?Edward_Tomasz_Napiera=B3a?= <trasz@FreeBSD.org> To: Robert Watson <rwatson@FreeBSD.org> Cc: "arch@" <freebsd-arch@freebsd.org> Subject: Re: Adding setloginclass(2) and getloginclass(2). Message-ID: <1C210696-D8D8-4234-BD06-52100F60D9FB@FreeBSD.org> In-Reply-To: <alpine.BSF.2.00.1103012211290.52352@fledge.watson.org> References: <41A35BDD-7EF0-47C5-BA3D-2E3F9C9C5540@FreeBSD.org> <alpine.BSF.2.00.1103012211290.52352@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Wiadomo=B6=E6 napisana przez Robert Watson w dniu 2011-03-01, o godz. = 23:12: > On Tue, 1 Mar 2011, Edward Tomasz Napiera=B3a wrote: >> At http://people.freebsd.org/~trasz/loginclass.diff, you can find a = patch that adds login class information to the kernel. The patch does = not contain changes to autogenerated files; to test it, do "make sysent" = in sys/kern/ and sys/compat/freebsd32/. >>=20 >> The patch itself doesn't add much user-visible functionality, = although being able to do "ps aux -o class" might be useful. However, = login classes are a prerequisite for RCTL, aka Resource Containers - = system administrator can use rules such as = "loginclass:users:nproc:deny=3D100/user", to replace resource limits = usually defined in login.conf(5), or use rule such as = "loginclass:users:nproc:deny=3D100/loginclass", to limit the number of = processes for the whole login class, achieving something similar to = SunOS "projects". >>=20 >> Since this involves adding two new syscalls, I'd like to hear some = opinion about it - it's hard to change these afterwards. >=20 > Could you say a little about how you hande jails/chroots/etc? I don't; I consider them orthogonal. There is, of course, the problem of jailed root setting the same login class as the one used outside, but it's similar to the UIDs shared between jails and the outside. As for the other behaviour - login classes are very similar to uidinfo; the biggest differences are that they are not used for access control and are not supposed to be changed after logging in. I just realized I forgot to include code that allows jailed root to use setloginclass(2). I'll update the patch later today. -- If you cut off my head, what would I say? Me and my head, or me and my = body?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1C210696-D8D8-4234-BD06-52100F60D9FB>