Greg Wooledge wrote: > On Mon, Jul 05, 2021 at 11:01:25PM -0400, The Wanderer wrote: > > On 2021-07-05 at 22:42, Victor Sudakov wrote: > > > > > Greg Wooledge wrote: > > > > >> And in any case, when you test this stuff, use the subshells. > > > > > > Well, my goal is to find a way to limit programs run from cron, PHP's > > > proc_open() etc., not from the interactive shell. What would you advise? > > > > Is there any reason to think that the ulimit approach wouldn't work in > > that type of context, as well as when invoked from within a shell? > > Depends on how the cron job is set up. If the cron job never calls > bash (but rather, sh) then you can't use bash's ulimit. > > Likewise, I would guess that PHP's proc_open() calls /bin/sh, not bash, > but you'd have to ask a (more experienced) PHP user. I suppose PHP's proc_open() does not call any shell at all, it executes the binary directly. To execute command in a shell, there is shell_exec() but it does not give access to the executed program's stdin/stdout. I think I can call the prlimit wrapper from proc_open() and that should do. > > > > The equivalent of FreeBSD's `/usr/bin/limits` wrapper seems to be > > > `/usr/bin/prlimit` but I'm really at a loss what limit to specify for > > > testing (the equivalent of `ulimit -v`). Should be RLIMIT_AS but --as > > > crashes prlimit: > > > > > > $ prlimit --as=1048576 /bin/ls > > > /bin/ls: error while loading shared libraries: libselinux.so.1: failed to map segment from shared object > > Sounds like you set it too low. Remember, setrlimit(2) and prlimit(2) > say that RLIMIT_DATA is specified in bytes. This is not the same as > bash's ulimit. I've never thought 1MB would be too low for /bin/ls, but it seems you are right. Over 2MB required for a simple /bin/true! $ prlimit --as=2000000 /bin/true /bin/true: error while loading shared libraries: libc.so.6: failed to map segment from shared object $ prlimit --as=2500000 /bin/true $ But prlimit works mostly as expected: $ prlimit --as=1073741824 stress-ng stress-ng --vm 1 --vm-bytes 2G stress-ng: info: [19042] defaulting to a 86400 second (1 day, 0.00 secs) run per stressor stress-ng: info: [19042] dispatching hogs: 1 vm stress-ng: error: [19044] stress-ng-vm: gave up trying to mmap, no available memory stress-ng: info: [19042] successful run completed in 10.01s $ -- Victor Sudakov VAS4-RIPE http://vas.tomsk.ru/ 2:5005/49@fidonet
Attachment:
signature.asc
Description: PGP signature