3

I have a Linux process (C program) which spawns a couple of child processes. I'd like to forbid another forking in those child processes on the system level, so that those processes would get killed if they tried to fork anyway. How to achieve that? I prefer to embed this policy in the host C code. Can setrlimit(2) do that?

eeq
  • 884
  • 1
  • 6
  • 15
  • 1
    can you post a bit of code? if you only fork in in your parent process then there is no way forking will happen in child/how do you see the child forking – chris Dec 07 '14 at 22:44
  • How secure does this mechanism have to be? Do you have any particular attack scenario in mind or is it rather for debugging? – 5gon12eder Dec 07 '14 at 22:45
  • @5gon12eder Yes! Absolutely secure because I execute untrusted child code. – eeq Dec 07 '14 at 22:45
  • Ptrace the child and don't allow it to fork off? – Kerrek SB Dec 07 '14 at 22:57
  • @KerrekSB Are there any performance penalties? Child processes should in the normal case do only a heavy computation. Any performance penalty would be bad. But the host process needs to be sure they don't do anything malicious. Is the `ptrace` the right way to go? – eeq Dec 07 '14 at 23:02
  • 1
    Ptrace only hooks into system calls, so if the child is purely computational and doesn't make system calls, it shouldn't cost much to trace it. – Kerrek SB Dec 07 '14 at 23:18
  • If I recall correctly, `setrlimit` sets by user ID, so that's not what you want. Depending on what exactly you're using this for, you could also consider shimming `fork`, which would also give you a little more control over what exactly happens. On the other hand, this is way more heavy handed and a little more cumbersome. – nchen24 Dec 08 '14 at 01:28

1 Answers1

1

Yes, setrlimit() can do this. Refer to man page and read up on

RLIMIT_NPROC
The maximum number of processes (or, more precisely on Linux, threads) that can be created for the real user ID of the calling process. Upon encountering this limit, fork(2) fails with the error EAGAIN.

Alternatively, you can set a hard limit on a process using /etc/security/limits.conf. Look up some of the examples in the file.

#@student        hard    nproc           20
#@faculty        soft    nproc           20
#@faculty        hard    nproc           50
#ftp             hard    nproc           0
CiaPan
  • 9,381
  • 2
  • 21
  • 35
askb
  • 6,501
  • 30
  • 43
  • I'm not sure right now. How would you limit the child processes? They inherit their own rlimits. Ptrace solutions looks much more viable. – eeq Dec 08 '14 at 11:08