limiting users using gradm/acl
 

Hi guys, I want to know how to limit users background process, maximum cpu usage, memory usage for each user using gradm/acl (or another way) I'm running kernel 2.4.26+grsecurity on my box. Thanks.

any suggestion ?

Before you're going to do this ask yourself why you want it, and why you choose that route. You should probably first start basic hardening of the box, make sure only services, processess you authorise are runnable and accessable by authorised users. Ditching any compilers and unnecessary packages, restricting access to interpreters to a select group, mounting /home (where *all* your unprivileged userss homes are, right) with noexec,nodev,nosuid, using GRSecurity's proc restrictions, auditing, TPE, making sure users $TMP lies within their home, else mount /tmp and /var/tmp with nosuid,noexec too (might break some, like mc's executing scripts but thats only a nuisance) is a start.Update everyting til current and top that part off with running Bastille-Linux and Tiger to catch stuff you've overlooked (authentication, passwd aging, "bad" services, setuid/setgid root binaries, cron, at, tcp wrapper access lists etc etc).

While both deal with limits, with GRSec's ACL's you focu5 on per-process restrictions while PAM_limits focusses on users and groups (and users own processes). For (unprivileged) user limiting I'd say you best start using PAM_limits. Once enabled GRSec will notice any errors in processes too and log 'em. Then you've got some leads on which regular processes to ACL (else just enable ACL's in learning mode). For background processes there's daemons. Search Freshmeat. If careless (when renicing/killing processes as root user) based on the process name can lead to interesting things if users get the chance to rename their process to something legitimate, or something other users use.

Thank you unspawn. I'm going to open a shell company and i need to how to limit users background processes, cpu usage, memory usage, etc. I'm using gradm/acl but i don't understand it as well. There is group u1bg and its users has to have 1 background process. The group u2bg 's users has to have 2 background processes. How can i do that using gradm/acl ? If you can give me a sample acl i'll be pleased. I also sent you an e-mail files you want on http://www.linuxquestions.org/questi...hreadid=181974
I'm waiting your answers. Thank you again.

Not using GRSec ACL's. What you want is a background process killer. Search Freshmeat for it. If you're lucky you'll be able to compile the Fush (Foosh) shell (search Sourceforge) which has logging and explicit (background) command control. Would make a nice addition to using GRSec's TPE.

i was unable to run it. I got readline erors while i ./configure it. I installed readline libs and readline devel libs on my system, but result was same. Is there any script for this job ?

I got problems too compiling it. That's why I said you gotta be lucky to be able to compile it :-] No script I know of, unless you mean the interpreted type of background process killers (shell, Perl). I know Freshmeat has some.