Can I set a resource limit for the current process tree?
Let's say I'm running on a resource-constrained system, and I want to ensure that the applications I run open no more than 10 files total.
If I try to do it using setrlimit
, something like:
if (fork() == 0) {
struct rlimit l = { 10, 10 };
setrlimit(RLIMIT_NOFILE, &l);
execl(EVIL_PROGRAM, args);
}
then EVIL_PROGRAM
will inherit the limit of 10 open file descriptors. However, what's to stop a malicious/poorly coded application from spawning X child processes, all with 10 open files? (This is a real-life scenario).
I don't want to prevent it from creating child processes entirely (this should be governed by the global limits.conf
), just to set a reasonable limit on the number of open files.
I found references to using cgroups for this purpose, but I think you have to be root to use this feature?
linux process limit
add a comment |
Let's say I'm running on a resource-constrained system, and I want to ensure that the applications I run open no more than 10 files total.
If I try to do it using setrlimit
, something like:
if (fork() == 0) {
struct rlimit l = { 10, 10 };
setrlimit(RLIMIT_NOFILE, &l);
execl(EVIL_PROGRAM, args);
}
then EVIL_PROGRAM
will inherit the limit of 10 open file descriptors. However, what's to stop a malicious/poorly coded application from spawning X child processes, all with 10 open files? (This is a real-life scenario).
I don't want to prevent it from creating child processes entirely (this should be governed by the global limits.conf
), just to set a reasonable limit on the number of open files.
I found references to using cgroups for this purpose, but I think you have to be root to use this feature?
linux process limit
add a comment |
Let's say I'm running on a resource-constrained system, and I want to ensure that the applications I run open no more than 10 files total.
If I try to do it using setrlimit
, something like:
if (fork() == 0) {
struct rlimit l = { 10, 10 };
setrlimit(RLIMIT_NOFILE, &l);
execl(EVIL_PROGRAM, args);
}
then EVIL_PROGRAM
will inherit the limit of 10 open file descriptors. However, what's to stop a malicious/poorly coded application from spawning X child processes, all with 10 open files? (This is a real-life scenario).
I don't want to prevent it from creating child processes entirely (this should be governed by the global limits.conf
), just to set a reasonable limit on the number of open files.
I found references to using cgroups for this purpose, but I think you have to be root to use this feature?
linux process limit
Let's say I'm running on a resource-constrained system, and I want to ensure that the applications I run open no more than 10 files total.
If I try to do it using setrlimit
, something like:
if (fork() == 0) {
struct rlimit l = { 10, 10 };
setrlimit(RLIMIT_NOFILE, &l);
execl(EVIL_PROGRAM, args);
}
then EVIL_PROGRAM
will inherit the limit of 10 open file descriptors. However, what's to stop a malicious/poorly coded application from spawning X child processes, all with 10 open files? (This is a real-life scenario).
I don't want to prevent it from creating child processes entirely (this should be governed by the global limits.conf
), just to set a reasonable limit on the number of open files.
I found references to using cgroups for this purpose, but I think you have to be root to use this feature?
linux process limit
linux process limit
edited 15 mins ago
asked Jan 4 '16 at 12:36
Mihai
3721212
3721212
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Specifically for setrlimit
Here are some of the more useful command options that you may wish to look into; pulled'em from the man
pages.
RLIMIT_NOFILE
Specifies a value one greater than the maximum file descriptor number that can be opened by this process.
RLIMIT_NPROC
The maximum number of processes (or, more precisely on Linux, threads) that can be created for the real user ID of the calling process. Upon encountering this limit
RLIMIT_SIGPENDING
Specifies the limit on the number of signals that may be queued for the real user ID of the calling process. Both standard and real-time signals are counted for the purpose of checking this limit.
There also seems to be other really cool limitations that can be set so I'm thankful I ran across your question as it has shown me yet another tool for keeping processes in check.
General Unix/Linux
I believe the general term of application limitation tool you are looking for is called a Sandbox
for UNIX it looks like Contractor and Passenger are solid options and for Linux I've seen Docker
, KVM
& Firejail
used on systems as constrained as the Raspberry Pi B+v2 or dule core netbooks. For most of the Sandboxing action you'll need a system and Kernel capible of Virtualization. On systems such as Android I've seen Selinux
used on the latest CyonagenMod ROMs, frustrating bit to get around if ya want to use a chroot app... but I digress, on some systems that I've run Ubuntu I've run across Apparmor
poping errors when a newly installed program tries to phone home with a persistent connection. Suffice it to say there's lot's of options for controlling what a specific program or set of programs may do, see, and or communicate with, and how much of the CPU's & GPU's resources maybe used.
The best out of the bunch if you can get it working (kinda iffy as I'm still working with the Dev. to get ARMhf binaries working), for your usage scenario, would be Firejail as the guide hosted on the Dev's home page covers a dual-gaming rig that could be modified to suit your needs. It has a low memory foot print in comparison to the others mentioned (from what I've seen that is) and is highly configurable as to what files a process has access to and whether or not persistence is allowed. This would be good for testing as you would have a set working environment that is repeatable, customizable, and ultimately deletable if needed.
For systems without full virtualization support I've seen that selinux is usually used to define stricter rules over the user
/group
permission settings that are already in place to keep read & write permissions. The term to search there is Linux name space permissions
, turns out there's lot's of hidden ways that one can restrict actions but the biggest hole for all these options is root
even in a well constructed chroot jail if there are ways to obtain root permissions within a jail or sandbox then there are ways to escalate into the user's ID that is running the jailed process.
Basically there should be multiple layers for a process to have to break out of, ie for a web server I'll be setting up a restrictive set of firewall rules, log readers to dynamically add rules and change firewall settings (fail2ban with custom actions and scripts), then a chroot jail that only has the required depends for a web server in it's directory structure bound to a port above 1024 such that it doesn't even request root level permissions for socket binding, and wrapping those inside a virtualized sandbox (likely with Firejail), that has a host running penetration detection mesures such as tripwire
and honeyd
within their own respective jails. All so that if .php
and similar code that should not be modified on the public server does receive a bad-touch it is ignored, back-ips resored and the offender banded from future access.
In your example code it doesn't look like you're doing much with networking but more than likely it will be called from another script or function and because it is obviously calling up child processes you'll want to figure out how to sanitize input, and catch errors at every step (look up the link that killed the Chrome browser for why), and ensure that unsanitized input is not read or inturprated by a privileged user (look up how to add shell-shock
to Firefox's browser ID for why), and if there is networking involved with calling or returning output then the ports that the process is bound to should be on an un-privileged port (use iptables/firewall for forwarding if it's a web app kinda thing). While there's a plethora of options for locking a system's services down to consider there also seems to be many options for testing code's breakability; Metasploit
and drone.io
are two fairly well known pentesting and code testing options that you may wish to look into before someone does it for you.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f253159%2fcan-i-set-a-resource-limit-for-the-current-process-tree%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Specifically for setrlimit
Here are some of the more useful command options that you may wish to look into; pulled'em from the man
pages.
RLIMIT_NOFILE
Specifies a value one greater than the maximum file descriptor number that can be opened by this process.
RLIMIT_NPROC
The maximum number of processes (or, more precisely on Linux, threads) that can be created for the real user ID of the calling process. Upon encountering this limit
RLIMIT_SIGPENDING
Specifies the limit on the number of signals that may be queued for the real user ID of the calling process. Both standard and real-time signals are counted for the purpose of checking this limit.
There also seems to be other really cool limitations that can be set so I'm thankful I ran across your question as it has shown me yet another tool for keeping processes in check.
General Unix/Linux
I believe the general term of application limitation tool you are looking for is called a Sandbox
for UNIX it looks like Contractor and Passenger are solid options and for Linux I've seen Docker
, KVM
& Firejail
used on systems as constrained as the Raspberry Pi B+v2 or dule core netbooks. For most of the Sandboxing action you'll need a system and Kernel capible of Virtualization. On systems such as Android I've seen Selinux
used on the latest CyonagenMod ROMs, frustrating bit to get around if ya want to use a chroot app... but I digress, on some systems that I've run Ubuntu I've run across Apparmor
poping errors when a newly installed program tries to phone home with a persistent connection. Suffice it to say there's lot's of options for controlling what a specific program or set of programs may do, see, and or communicate with, and how much of the CPU's & GPU's resources maybe used.
The best out of the bunch if you can get it working (kinda iffy as I'm still working with the Dev. to get ARMhf binaries working), for your usage scenario, would be Firejail as the guide hosted on the Dev's home page covers a dual-gaming rig that could be modified to suit your needs. It has a low memory foot print in comparison to the others mentioned (from what I've seen that is) and is highly configurable as to what files a process has access to and whether or not persistence is allowed. This would be good for testing as you would have a set working environment that is repeatable, customizable, and ultimately deletable if needed.
For systems without full virtualization support I've seen that selinux is usually used to define stricter rules over the user
/group
permission settings that are already in place to keep read & write permissions. The term to search there is Linux name space permissions
, turns out there's lot's of hidden ways that one can restrict actions but the biggest hole for all these options is root
even in a well constructed chroot jail if there are ways to obtain root permissions within a jail or sandbox then there are ways to escalate into the user's ID that is running the jailed process.
Basically there should be multiple layers for a process to have to break out of, ie for a web server I'll be setting up a restrictive set of firewall rules, log readers to dynamically add rules and change firewall settings (fail2ban with custom actions and scripts), then a chroot jail that only has the required depends for a web server in it's directory structure bound to a port above 1024 such that it doesn't even request root level permissions for socket binding, and wrapping those inside a virtualized sandbox (likely with Firejail), that has a host running penetration detection mesures such as tripwire
and honeyd
within their own respective jails. All so that if .php
and similar code that should not be modified on the public server does receive a bad-touch it is ignored, back-ips resored and the offender banded from future access.
In your example code it doesn't look like you're doing much with networking but more than likely it will be called from another script or function and because it is obviously calling up child processes you'll want to figure out how to sanitize input, and catch errors at every step (look up the link that killed the Chrome browser for why), and ensure that unsanitized input is not read or inturprated by a privileged user (look up how to add shell-shock
to Firefox's browser ID for why), and if there is networking involved with calling or returning output then the ports that the process is bound to should be on an un-privileged port (use iptables/firewall for forwarding if it's a web app kinda thing). While there's a plethora of options for locking a system's services down to consider there also seems to be many options for testing code's breakability; Metasploit
and drone.io
are two fairly well known pentesting and code testing options that you may wish to look into before someone does it for you.
add a comment |
Specifically for setrlimit
Here are some of the more useful command options that you may wish to look into; pulled'em from the man
pages.
RLIMIT_NOFILE
Specifies a value one greater than the maximum file descriptor number that can be opened by this process.
RLIMIT_NPROC
The maximum number of processes (or, more precisely on Linux, threads) that can be created for the real user ID of the calling process. Upon encountering this limit
RLIMIT_SIGPENDING
Specifies the limit on the number of signals that may be queued for the real user ID of the calling process. Both standard and real-time signals are counted for the purpose of checking this limit.
There also seems to be other really cool limitations that can be set so I'm thankful I ran across your question as it has shown me yet another tool for keeping processes in check.
General Unix/Linux
I believe the general term of application limitation tool you are looking for is called a Sandbox
for UNIX it looks like Contractor and Passenger are solid options and for Linux I've seen Docker
, KVM
& Firejail
used on systems as constrained as the Raspberry Pi B+v2 or dule core netbooks. For most of the Sandboxing action you'll need a system and Kernel capible of Virtualization. On systems such as Android I've seen Selinux
used on the latest CyonagenMod ROMs, frustrating bit to get around if ya want to use a chroot app... but I digress, on some systems that I've run Ubuntu I've run across Apparmor
poping errors when a newly installed program tries to phone home with a persistent connection. Suffice it to say there's lot's of options for controlling what a specific program or set of programs may do, see, and or communicate with, and how much of the CPU's & GPU's resources maybe used.
The best out of the bunch if you can get it working (kinda iffy as I'm still working with the Dev. to get ARMhf binaries working), for your usage scenario, would be Firejail as the guide hosted on the Dev's home page covers a dual-gaming rig that could be modified to suit your needs. It has a low memory foot print in comparison to the others mentioned (from what I've seen that is) and is highly configurable as to what files a process has access to and whether or not persistence is allowed. This would be good for testing as you would have a set working environment that is repeatable, customizable, and ultimately deletable if needed.
For systems without full virtualization support I've seen that selinux is usually used to define stricter rules over the user
/group
permission settings that are already in place to keep read & write permissions. The term to search there is Linux name space permissions
, turns out there's lot's of hidden ways that one can restrict actions but the biggest hole for all these options is root
even in a well constructed chroot jail if there are ways to obtain root permissions within a jail or sandbox then there are ways to escalate into the user's ID that is running the jailed process.
Basically there should be multiple layers for a process to have to break out of, ie for a web server I'll be setting up a restrictive set of firewall rules, log readers to dynamically add rules and change firewall settings (fail2ban with custom actions and scripts), then a chroot jail that only has the required depends for a web server in it's directory structure bound to a port above 1024 such that it doesn't even request root level permissions for socket binding, and wrapping those inside a virtualized sandbox (likely with Firejail), that has a host running penetration detection mesures such as tripwire
and honeyd
within their own respective jails. All so that if .php
and similar code that should not be modified on the public server does receive a bad-touch it is ignored, back-ips resored and the offender banded from future access.
In your example code it doesn't look like you're doing much with networking but more than likely it will be called from another script or function and because it is obviously calling up child processes you'll want to figure out how to sanitize input, and catch errors at every step (look up the link that killed the Chrome browser for why), and ensure that unsanitized input is not read or inturprated by a privileged user (look up how to add shell-shock
to Firefox's browser ID for why), and if there is networking involved with calling or returning output then the ports that the process is bound to should be on an un-privileged port (use iptables/firewall for forwarding if it's a web app kinda thing). While there's a plethora of options for locking a system's services down to consider there also seems to be many options for testing code's breakability; Metasploit
and drone.io
are two fairly well known pentesting and code testing options that you may wish to look into before someone does it for you.
add a comment |
Specifically for setrlimit
Here are some of the more useful command options that you may wish to look into; pulled'em from the man
pages.
RLIMIT_NOFILE
Specifies a value one greater than the maximum file descriptor number that can be opened by this process.
RLIMIT_NPROC
The maximum number of processes (or, more precisely on Linux, threads) that can be created for the real user ID of the calling process. Upon encountering this limit
RLIMIT_SIGPENDING
Specifies the limit on the number of signals that may be queued for the real user ID of the calling process. Both standard and real-time signals are counted for the purpose of checking this limit.
There also seems to be other really cool limitations that can be set so I'm thankful I ran across your question as it has shown me yet another tool for keeping processes in check.
General Unix/Linux
I believe the general term of application limitation tool you are looking for is called a Sandbox
for UNIX it looks like Contractor and Passenger are solid options and for Linux I've seen Docker
, KVM
& Firejail
used on systems as constrained as the Raspberry Pi B+v2 or dule core netbooks. For most of the Sandboxing action you'll need a system and Kernel capible of Virtualization. On systems such as Android I've seen Selinux
used on the latest CyonagenMod ROMs, frustrating bit to get around if ya want to use a chroot app... but I digress, on some systems that I've run Ubuntu I've run across Apparmor
poping errors when a newly installed program tries to phone home with a persistent connection. Suffice it to say there's lot's of options for controlling what a specific program or set of programs may do, see, and or communicate with, and how much of the CPU's & GPU's resources maybe used.
The best out of the bunch if you can get it working (kinda iffy as I'm still working with the Dev. to get ARMhf binaries working), for your usage scenario, would be Firejail as the guide hosted on the Dev's home page covers a dual-gaming rig that could be modified to suit your needs. It has a low memory foot print in comparison to the others mentioned (from what I've seen that is) and is highly configurable as to what files a process has access to and whether or not persistence is allowed. This would be good for testing as you would have a set working environment that is repeatable, customizable, and ultimately deletable if needed.
For systems without full virtualization support I've seen that selinux is usually used to define stricter rules over the user
/group
permission settings that are already in place to keep read & write permissions. The term to search there is Linux name space permissions
, turns out there's lot's of hidden ways that one can restrict actions but the biggest hole for all these options is root
even in a well constructed chroot jail if there are ways to obtain root permissions within a jail or sandbox then there are ways to escalate into the user's ID that is running the jailed process.
Basically there should be multiple layers for a process to have to break out of, ie for a web server I'll be setting up a restrictive set of firewall rules, log readers to dynamically add rules and change firewall settings (fail2ban with custom actions and scripts), then a chroot jail that only has the required depends for a web server in it's directory structure bound to a port above 1024 such that it doesn't even request root level permissions for socket binding, and wrapping those inside a virtualized sandbox (likely with Firejail), that has a host running penetration detection mesures such as tripwire
and honeyd
within their own respective jails. All so that if .php
and similar code that should not be modified on the public server does receive a bad-touch it is ignored, back-ips resored and the offender banded from future access.
In your example code it doesn't look like you're doing much with networking but more than likely it will be called from another script or function and because it is obviously calling up child processes you'll want to figure out how to sanitize input, and catch errors at every step (look up the link that killed the Chrome browser for why), and ensure that unsanitized input is not read or inturprated by a privileged user (look up how to add shell-shock
to Firefox's browser ID for why), and if there is networking involved with calling or returning output then the ports that the process is bound to should be on an un-privileged port (use iptables/firewall for forwarding if it's a web app kinda thing). While there's a plethora of options for locking a system's services down to consider there also seems to be many options for testing code's breakability; Metasploit
and drone.io
are two fairly well known pentesting and code testing options that you may wish to look into before someone does it for you.
Specifically for setrlimit
Here are some of the more useful command options that you may wish to look into; pulled'em from the man
pages.
RLIMIT_NOFILE
Specifies a value one greater than the maximum file descriptor number that can be opened by this process.
RLIMIT_NPROC
The maximum number of processes (or, more precisely on Linux, threads) that can be created for the real user ID of the calling process. Upon encountering this limit
RLIMIT_SIGPENDING
Specifies the limit on the number of signals that may be queued for the real user ID of the calling process. Both standard and real-time signals are counted for the purpose of checking this limit.
There also seems to be other really cool limitations that can be set so I'm thankful I ran across your question as it has shown me yet another tool for keeping processes in check.
General Unix/Linux
I believe the general term of application limitation tool you are looking for is called a Sandbox
for UNIX it looks like Contractor and Passenger are solid options and for Linux I've seen Docker
, KVM
& Firejail
used on systems as constrained as the Raspberry Pi B+v2 or dule core netbooks. For most of the Sandboxing action you'll need a system and Kernel capible of Virtualization. On systems such as Android I've seen Selinux
used on the latest CyonagenMod ROMs, frustrating bit to get around if ya want to use a chroot app... but I digress, on some systems that I've run Ubuntu I've run across Apparmor
poping errors when a newly installed program tries to phone home with a persistent connection. Suffice it to say there's lot's of options for controlling what a specific program or set of programs may do, see, and or communicate with, and how much of the CPU's & GPU's resources maybe used.
The best out of the bunch if you can get it working (kinda iffy as I'm still working with the Dev. to get ARMhf binaries working), for your usage scenario, would be Firejail as the guide hosted on the Dev's home page covers a dual-gaming rig that could be modified to suit your needs. It has a low memory foot print in comparison to the others mentioned (from what I've seen that is) and is highly configurable as to what files a process has access to and whether or not persistence is allowed. This would be good for testing as you would have a set working environment that is repeatable, customizable, and ultimately deletable if needed.
For systems without full virtualization support I've seen that selinux is usually used to define stricter rules over the user
/group
permission settings that are already in place to keep read & write permissions. The term to search there is Linux name space permissions
, turns out there's lot's of hidden ways that one can restrict actions but the biggest hole for all these options is root
even in a well constructed chroot jail if there are ways to obtain root permissions within a jail or sandbox then there are ways to escalate into the user's ID that is running the jailed process.
Basically there should be multiple layers for a process to have to break out of, ie for a web server I'll be setting up a restrictive set of firewall rules, log readers to dynamically add rules and change firewall settings (fail2ban with custom actions and scripts), then a chroot jail that only has the required depends for a web server in it's directory structure bound to a port above 1024 such that it doesn't even request root level permissions for socket binding, and wrapping those inside a virtualized sandbox (likely with Firejail), that has a host running penetration detection mesures such as tripwire
and honeyd
within their own respective jails. All so that if .php
and similar code that should not be modified on the public server does receive a bad-touch it is ignored, back-ips resored and the offender banded from future access.
In your example code it doesn't look like you're doing much with networking but more than likely it will be called from another script or function and because it is obviously calling up child processes you'll want to figure out how to sanitize input, and catch errors at every step (look up the link that killed the Chrome browser for why), and ensure that unsanitized input is not read or inturprated by a privileged user (look up how to add shell-shock
to Firefox's browser ID for why), and if there is networking involved with calling or returning output then the ports that the process is bound to should be on an un-privileged port (use iptables/firewall for forwarding if it's a web app kinda thing). While there's a plethora of options for locking a system's services down to consider there also seems to be many options for testing code's breakability; Metasploit
and drone.io
are two fairly well known pentesting and code testing options that you may wish to look into before someone does it for you.
edited Feb 12 at 11:44
blipp
53
53
answered Jan 13 '16 at 10:00
S0AndS0
1867
1867
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f253159%2fcan-i-set-a-resource-limit-for-the-current-process-tree%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown