Check-in [1738f536ee]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Allow some users to use more RAM
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 1738f536ee2de0dc36895e3712fda052b121cff8
User & Date: rkeene 2021-07-28 14:30:49.980
Context
2024-10-14
14:06
Upgrade to latest version of Fossil check-in: 897ed7c4b4 user: rkeene tags: trunk
2021-07-28
14:30
Allow some users to use more RAM check-in: 1738f536ee user: rkeene tags: trunk
2020-09-03
13:26
Add patch to fix browser semantics check-in: 708ffba4da user: rkeene tags: trunk
Changes
Unified Diff Ignore Whitespace Patch
Changes to scripts/fossil-as-user/secure-wrap.c.
48
49
50
51
52
53
54

55
56
57
58
59
60
61

int main(int argc, char **argv) {
	const char *directory, *program;
	char *id_string;
	unsigned long id;
	struct rlimit limit;
	unsigned int tmp_fd;


	if (argc < 4) {
		fprintf(stderr, "usage: secure-wrap <id> <directory> <program> [<args>...]\n");

		return(2);
	}








>







48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

int main(int argc, char **argv) {
	const char *directory, *program;
	char *id_string;
	unsigned long id;
	struct rlimit limit;
	unsigned int tmp_fd;
	int unconstrained_user = 0;

	if (argc < 4) {
		fprintf(stderr, "usage: secure-wrap <id> <directory> <program> [<args>...]\n");

		return(2);
	}

73
74
75
76
77
78
79







80
81
82
83
84
85
86
	directory = argv[1];
	argc--;
	argv++;

	program = argv[1];
	argc--;
	argv++;








	/*
	 * chroot
	 */
	check(chdir(directory));
	check(chroot(directory));
	check(chdir("/"));







>
>
>
>
>
>
>







74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
	directory = argv[1];
	argc--;
	argv++;

	program = argv[1];
	argc--;
	argv++;

	/*
	 * Determine if the user should be constrained
	 */
	if (getenv("SUID_FOSSIL_UNCONSTRAINED") != NULL) {
		unconstrained_user = 1;
	}

	/*
	 * chroot
	 */
	check(chdir(directory));
	check(chroot(directory));
	check(chdir("/"));
138
139
140
141
142
143
144
145
146




147
148

149
150
151
152
153
154
155
	check(setrlimit(RLIMIT_CPU, &limit));

	/**
	 ** Allow a reasonable amount of RAM
	 **/

	/***
	 *** 512MiB of available memory
	 ***/




	limit.rlim_cur = 1024 * 1024 * 512LU;
	limit.rlim_max = 1024 * 1024 * 512LU;

	check(setrlimit(RLIMIT_DATA, &limit));
	check(setrlimit(RLIMIT_RSS, &limit));

	/***
	 *** 16MiB of stack space
	 ***/
	limit.rlim_cur = 1024 * 1024 * 16LU;







|

>
>
>
>
|
|
>







146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
	check(setrlimit(RLIMIT_CPU, &limit));

	/**
	 ** Allow a reasonable amount of RAM
	 **/

	/***
	 *** 512MiB of available memory (unless unconstrained user)
	 ***/
	if (unconstrained_user) {
		limit.rlim_cur = 1024 * 1024 * 1024 * 4LU;
		limit.rlim_max = 1024 * 1024 * 1024 * 4LU;
	} else {
		limit.rlim_cur = 1024 * 1024 * 512LU;
		limit.rlim_max = 1024 * 1024 * 512LU;
	}
	check(setrlimit(RLIMIT_DATA, &limit));
	check(setrlimit(RLIMIT_RSS, &limit));

	/***
	 *** 16MiB of stack space
	 ***/
	limit.rlim_cur = 1024 * 1024 * 16LU;