From: Wesley W. Terpstra (wesleyterpstra.ca)
Date: Tue Apr 22 2003 - 12:59:32 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 22, 2003 at 07:16:58AM -1000, Clifton Royston wrote:
> > I agree that the comments describing it are fine. I am just advocating the
> > ability to be able to have a soft limit without a hard limit. The hard limit
> > just prevents legitamite users from getting work done whereas evil users can
> > still do as they will.
>
> How's that? If you are dealing with a process launched with a preset
> hard filesize limit, I don't see how a user, "evil" or otherwise, can
> readily circumvent that. Isn't that the problem? Of course all kinds
> of other DOSes are possible outside the scope of Postfix, but I don't
> see that as relevant.

You can avoid the hard limit by remapping io via LD_PRELOAD.

From this position any number of abuses become possible:
        pass the io out of process to some helper program
        map to many smaller files
        probably more I can't think of

I would never want to put code like this in a real product though.
Hence it stops me, but not someone who really wants to do it.

> > A soft limit will keep the accidents to a minimum
> > well enough; you have to know what you are doing to override this.
> >
> > Having both as seperate options as proposed by Wietse allows everyone to be
> > happy. So, where's the problem?
>
> If Wietse's happy with separate options, then I'm fine with it. I'm
> just saying I'd rather have the option of a hard limit than no hard
> limit.

I agree with this completely.

It is up to the admin, but right now admins have to choose:
        break user-kept databases + have useful filesize cap
        neither

A new options adds the middle ground:
        have a pretty useful filesize cap + dbs designed for postfix work

---
Wes

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]