Re: [RFD] 'nice' attribute for executable files

From: Bodo Eggert
Date: Wed Mar 30 2005 - 15:58:24 EST

Next message: Diego Calleja: "Re: [patch 0/8] CKRM: Core patch set"
Previous message: Indrek Kruusa: "Re: How's the nforce4 support in Linux?"
In reply to: Måns Rullgård: "Re: [RFD] 'nice' attribute for executable files"
Next in thread: Lee Revell: "Re: [RFD] 'nice' attribute for executable files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 30 Mar 2005, Wiktor wrote:

> my xmms problem is unimportant here, i've posted this thread to propose
> some new feature in filesystem, not to solve problem with multimedia player!

You don't need a solution if there is no problem.

> max renice ulimit is quite good idea, but it allows to change nice of
> *any* process user has permissions to.

In both of your examples (including the one below), the same thing
applies.

> it could be implemented also, but
> the idea of 'nice' file attribute is to allow *only* some process be
> run with lower nice. what's more, that nice would be *always* the same
> (at process startup)!
> example:
> web server runs as user www. it spawns perl interpreter that root wants
> to be run with lower nice, but he doesn't want to allow 'www' user to
> renice *any* process (for eg. this user is shared with webmaster, and
> webmaster is malicious person; i know, the webmaster could have another
> accout, but maybe for some file-ownership reasons, root doesn't want to
> create special account for him).

chown root.root /usr/local/cgi-bin/somescript
chmod 755 /usr/local/cgi-bin/somescript

---/etc/su1.priv---
alias somescript /usr/bin/nice -n -5 su wwwrun -- exec /usr/local/cgi-bin/somescript.pl

ask never
allow wwwrun prefix somescript
---

ln -s /usr/bin/su1 /srv/wwwroot/cgi-bin/somescript

If you need the same command for a group of users, you can use a wrapper
scritp that will look at the $HOME variable (which is set from
/etc/passwd)

> in this situation, setting nice-attribute for /usr/bin/perl solves the
> problem.

perl -e'exec("/bin/sh");' would grant nice privileges to anybody, and
that's not nice!

> remember, that this feature would also provide an easy way to
> increase nice level.

Not for running processes.

> it can be done with shell script, but setting nice
> value in file attributes is cleaner and easier to manage.

Obviously not.
--
Top 100 things you don't want the sysadmin to say:
35. Ummm... Didn't you say you turned it off?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Diego Calleja: "Re: [patch 0/8] CKRM: Core patch set"
Previous message: Indrek Kruusa: "Re: How's the nforce4 support in Linux?"
In reply to: Måns Rullgård: "Re: [RFD] 'nice' attribute for executable files"
Next in thread: Lee Revell: "Re: [RFD] 'nice' attribute for executable files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]