7 Jun
2005
7 Jun
'05
1:22 a.m.
Jonathan Woithe <jwoithe(a)physics.adelaide.edu.au> writes:
:-)
Spurred on by your comments and the fact I
unexpectedly found myself with a
little free time overnight, I have addressed the issues with the group
support in set_rtlimits. Group and user name spaces are now treated
separately, with groupnames starting with a @ character. Furthermore, a
user's supplementary group list is now scanned for a match (they are
correctly propagated to a setuid binary, at least under Linux), making the
group support more useful for people in general. I also took the
opportunity to improve the clarity of some error messages.
That's great, thanks!
Your program
is quite useful and timely. Given the difficulty of
patching and then configuring PAM, I expect very few users to use the
new rlimits effectively until those changes have percolated down into
widely-available distributions.
Indeed, and there are some which won't use PAM at all. Another thing I'm pondering is adding support for
setting the memlock limit
for selected binaries; this way a user doesn't have to be granted large
memlock limits in general just so they can run one or two apps which need
it. If this happens I might rename set_rtlimits to set_rlimits since this
change would make it more general than just dealing with realtime limits.
Would this be useful for people?
Good idea. It's really just another different kind of realtime limit.
Some people would want to control it separately from scheduling, I think.
--
joq