lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <47F254F2.2000806@uni-koeln.de>
Date:	Tue, 01 Apr 2008 17:29:54 +0200
From:	Berthold Cogel <cogel@...-koeln.de>
To:	David Howells <dhowells@...hat.com>
CC:	torvalds@...l.org, akpm@...ux-foundation.org,
	trond.myklebust@....uio.no, chuck.lever@...cle.com,
	nfsv4@...ux-nfs.org, linux-kernel@...r.kernel.org,
	linux-fsdevel@...r.kernel.org, selinux@...ho.nsa.gov,
	linux-security-module@...r.kernel.org
Subject: Re: [PATCH 06/45] KEYS: Make the keyring quotas controllable through
 /proc/sys [ver #35]

David Howells schrieb:
> Make the keyring quotas controllable through /proc/sys files:
> 
>  (*) /proc/sys/kernel/keys/root_maxkeys
>      /proc/sys/kernel/keys/root_maxbytes
> 
>      Maximum number of keys that root may have and the maximum total number of
>      bytes of data that root may have stored in those keys.
> 
>  (*) /proc/sys/kernel/keys/maxkeys
>      /proc/sys/kernel/keys/maxbytes
> 
>      Maximum number of keys that each non-root user may have and the maximum
>      total number of bytes of data that each of those users may have stored in
>      their keys.
> 
> Also increase the quotas as a number of people have been complaining that it's
> not big enough.  I'm not sure that it's big enough now either, but on the
> other hand, it can now be set in /etc/sysctl.conf.
> 

Hello David,

you're our hero! ;-)

We just hit this wall while migrating from RHEl 3 to RHEL 5 with some of 
our webservers.

[root@...11 ~]# cat /proc/key-users
     0:    99 98/98 96/100 1681/10000
    32:     2 2/2 2/100 56/10000
    38:     2 2/2 2/100 56/10000
    43:     2 2/2 2/100 56/10000
    51:     2 2/2 2/100 56/10000
    68:     2 2/2 2/100 56/10000
    81:     2 2/2 2/100 56/10000
    99:     2 2/2 2/100 56/10000
   348:     2 2/2 2/100 58/10000
42216:     2 2/2 2/100 62/10000
55188:     3 3/3 3/100 72/10000
56537:     2 2/2 2/100 62/10000
63743:     2 2/2 2/100 62/10000
68054:     2 2/2 2/100 62/10000

....


We're using OpenAFS on our systems and most of our webpages are stored 
in AFS. We have a lot of small projects for which a separate server 
would be a waste of 'metal'. Even in a virtual environment. So we're 
hosting a lot of apache instances on a single machine. Beause suexec 
doesn't work in an AFS environment, each instance is started by root 
with its own IP (to be able to talk HTTPS) and in a PAG with a separate 
token for a service user (to isolate the projects). Although each apache 
switches  over to the service user, the initial tokens are acquired by root.

On RHEL 3 with the old 2.4 kernel this was never a problem. But now...

Btw.: We have some machines with about hundred (!) different projects 
which need tokens.


Best regards,

Berthold Cogel

-- 
Dr. Berthold Cogel                             University of Cologne
E-Mail: cogel@...-koeln.de                     ZAIK-US (RRZK)
Tel.:   +49(0)221/470-7873                     Robert-Koch-Str. 10
FAX:    +49(0)221/478-85845                    D-50931 Cologne - Germany
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ