Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi guys, I want to know how to limit users background process, maximum cpu usage, memory usage for each user using gradm/acl (or another way) I'm running kernel 2.4.26+grsecurity on my box. Thanks.
Before you're going to do this ask yourself why you want it, and why you choose that route. You should probably first start basic hardening of the box, make sure only services, processess you authorise are runnable and accessable by authorised users. Ditching any compilers and unnecessary packages, restricting access to interpreters to a select group, mounting /home (where *all* your unprivileged userss homes are, right) with noexec,nodev,nosuid, using GRSecurity's proc restrictions, auditing, TPE, making sure users $TMP lies within their home, else mount /tmp and /var/tmp with nosuid,noexec too (might break some, like mc's executing scripts but thats only a nuisance) is a start.Update everyting til current and top that part off with running Bastille-Linux and Tiger to catch stuff you've overlooked (authentication, passwd aging, "bad" services, setuid/setgid root binaries, cron, at, tcp wrapper access lists etc etc).
While both deal with limits, with GRSec's ACL's you focu5 on per-process restrictions while PAM_limits focusses on users and groups (and users own processes). For (unprivileged) user limiting I'd say you best start using PAM_limits. Once enabled GRSec will notice any errors in processes too and log 'em. Then you've got some leads on which regular processes to ACL (else just enable ACL's in learning mode). For background processes there's daemons. Search Freshmeat. If careless (when renicing/killing processes as root user) based on the process name can lead to interesting things if users get the chance to rename their process to something legitimate, or something other users use.
Thank you unspawn. I'm going to open a shell company and i need to how to limit users background processes, cpu usage, memory usage, etc. I'm using gradm/acl but i don't understand it as well. There is group u1bg and its users has to have 1 background process. The group u2bg 's users has to have 2 background processes. How can i do that using gradm/acl ? If you can give me a sample acl i'll be pleased. I also sent you an e-mail files you want on http://www.linuxquestions.org/questi...hreadid=181974
I'm waiting your answers. Thank you again.
Not using GRSec ACL's. What you want is a background process killer. Search Freshmeat for it. If you're lucky you'll be able to compile the Fush (Foosh) shell (search Sourceforge) which has logging and explicit (background) command control. Would make a nice addition to using GRSec's TPE.
i was unable to run it. I got readline erors while i ./configure it. I installed readline libs and readline devel libs on my system, but result was same. Is there any script for this job ?
I got problems too compiling it. That's why I said you gotta be lucky to be able to compile it :-] No script I know of, unless you mean the interpreted type of background process killers (shell, Perl). I know Freshmeat has some.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.