Re: [RFD] 'nice' attribute for executable files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 30 Mar 2005, Wiktor wrote:

> my xmms problem is unimportant here, i've posted this thread to propose 
> some new feature in filesystem, not to solve problem with multimedia player!

You don't need a solution if there is no problem.

> max renice ulimit is quite good idea, but it allows to change nice of 
> *any* process user has permissions to.

In both of your examples (including the one below), the same thing 
applies.

> it could be implemented also, but 
>   the idea of 'nice' file attribute is to allow *only* some process be 
> run with lower nice. what's more, that nice would be *always* the same 
> (at process startup)!
> example:
> web server runs as user www. it spawns perl interpreter that root wants 
>   to be run with lower nice, but he doesn't want to allow 'www' user to 
>   renice *any* process (for eg. this user is shared with webmaster, and 
> webmaster is malicious person; i know, the webmaster could have another 
> accout, but maybe for some file-ownership reasons, root doesn't want to 
> create special account for him).

chown root.root /usr/local/cgi-bin/somescript
chmod 755 /usr/local/cgi-bin/somescript

---/etc/su1.priv---
alias somescript /usr/bin/nice -n -5 su wwwrun -- exec /usr/local/cgi-bin/somescript.pl

ask never
allow wwwrun prefix somescript
---

ln -s /usr/bin/su1 /srv/wwwroot/cgi-bin/somescript


If you need the same command for a group of users, you can use a wrapper 
scritp that will look at the $HOME variable (which is set from 
/etc/passwd)

> in this situation, setting nice-attribute for /usr/bin/perl solves the 
> problem.

perl -e'exec("/bin/sh");' would grant nice privileges to anybody, and 
that's not nice!

> remember, that this feature would also provide an easy way to 
> increase nice level.

Not for running processes.

> it can be done with shell script, but setting nice 
> value in file attributes is cleaner and easier to manage.

Obviously not.
-- 
Top 100 things you don't want the sysadmin to say:
35. Ummm... Didn't you say you turned it off?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux